This series is going to take a closer look at using the Viper analysis platform and its associated modules.
If you are new to Viper here are a few links for you.
- http://viper.li - The projects home
- https://github.com/botherder/viper - the projects GitHub
- Install Guide - My Install guide.
Lets dive straight in and assume you have just finished installing and have an empty dataset.
CD in to the viper directory and launch viper with the command ./viper.py.
You should see something like this.
Before we get in to command lets look at the help first. Running the command
help will list all the built-in commands and all the modules that are available.
Running a command name with
--help will, in most cases, display the help for that command or module.
By default viper operates on a single database storing all files under a single instance. Viper is also capable of running ‘Projects’. These are separate databases and file stores that run independent of each other. As an example, if I was working on a small set of data that was focused on a specific case, i could create a project and store all my files under that project and not have them mixed in with the main database.
To create a new project run viper with the -p flag and specify a project name. You will see the console prompt reflect the current project.
You can list, switch or create new projects from the console.
With an active viper instance let’s get our first sample in to viper. As we can see from the help sections above we can add files using the open command.
Open & Store
This opens a session on our file. From here we can run more command or modules against the open file. It is important to note that at this point the file is not stored in the database.
The info command will show the standard information you would expect.
If we decide this is something we would like to keep in the database we can use the command store to save it in to the database.
With viper we can also chain commands using ‘;’ So if I wanted to open and store a single file i could have used
Once i have finished with a file I can close the open session using the close command. Viper will indicate what session is active by listing the filename as seen in the examples above.
Sticking with the open command I can open files from the internet by specifying a uri. This can be used to grab files or html pages. Remember to use the store command if you want to keep the file in the database.
Pages and files retrieved using this method are stored using a temp name we can use tags to identify them and we will see this later on.
At any time we can see a list of active sessions by using the sessions command. This command allows us to view and switch between sessions.
Opening files one at a time is useful for small sessions. But if you are importing a large dataset it’s not really efficient. For that we can skip the open and jump to store. This will allow us to import multiple files.
As shown in the help section there are many options we can set to specify what files we are importing.
Import all .xls files.
Imports all files and tag them as dridex.
You will notice that viper will only store files in the database once. This is based on the hash of the file so if you have identical files with different names they will only be stored once. Tags can be useful in these instances to identify multiple file names.
We now have files stored in the database. Before we get in to modules let’s have a look at navigating the database. In order to run modules against a file we need to open a session on the file. This is easy if we opened the file directly but if it’s stored in the database I want to open it from there.
The simplest way to open a session on a stored file is to use the open command and specify the files hash. Either MD5 or SHA256.
This is great if you are Sheldon Cooper and have perfect recall for file hashes. If you are more like us mere mortals you will need something more intuitive. Like a search command. Thankfully viper has such a command.
The Find command allows us to search the database for matching files. Using names and tags to identify them.
The easiest way to show this is with some examples:
Find all ‘.xls’ files.
Find all msword mime types
Find all should be self-explanatory.
we will talk more about Tags and notes shortly but you can also search for tags and text in notes.
Find all files tagged with dridex
Find all notes that contain searchterm
The find command will list all matching samples. To open a session on any of the matching files. Just issue the open command and specify the Line # you want to open.
Now we can store and search for samples lets look at the last few core commands.
As shown in the Find command Tags can be very useful for identifying and locating samples. All tags attached to a file can be viewed in the info and find results pages.
Adding tags to an open session is as simple as
You will see my new tags are now listed and searchable. To see a list of all tags we use the find -t command.
Notes are useful for storing small snippets of information or the output of modules. As with other fields they are searchable using the find command as we saw earlier.
To add a note you first need an open session then use notes -a
The body of the note is entered using your default command line text editor.
You can then use the note id to view edit or delete the note.
If you want to export the sample to send or use in another environment the export command will allow you to do this.
That’s all for this post. The next set of posts will look at each of the modules in more detail.
As usual Questions, Queries, Comments below.