EyeON Modules

• eyeon.cli package
  • Module contents
    • CommandLine
      • CommandLine.checksum()
      • CommandLine.compress_file()
      • CommandLine.delete()
      • CommandLine.listbox()
      • CommandLine.observe()
      • CommandLine.parse()
      • CommandLine.upload()
    • main()

eyeon.observe module

eyeon.observe.Observe makes an observation of a file. An observation will output a json file containing unique identifying information such as hashes, modify date, certificate info, etc. See the Observe class doc for full details.

class eyeon.observe.Observe(file: str)

Bases: object

Class to create an Observation of a file.

Parameters:

file (str): Path to file to be scanned.

Required Attributes:

bytecountint

size of file

filenamestr

File name

magicstr

Magic byte descriptor

md5str

md5sum of file

modtimestr

Datetime string of last modified time

observation_tsstr

Datetime string of time of scan

permissionsstr

Octet string of file permission value

sha1str

sha1sum of file

sha256str

sha256sum of file

ssdeepstr

Fuzzy hash used by VirusTotal to match similar binaries.

configdict

toml configuration file elements

Optional Attributes:

compilerstr

String describing compiler, compiler version, flags, etc.

hoststr

csv string containing intended install locations

imphashstr

Import hash for Windows binaries

telfhashstr

Telfhash for ELF Linux binaries

detect_it_easystr

Detect-It-Easy output.

signaturesdict

Descriptors of signature information, including signatures and certificates. Only valid for Windows

metadatadict

Windows File Properties – OS, Architecture, File Info, etc.

static create_hash(file, hash)

Generator for hash functions.

prep_javaclass_metadata() → None

set_imphash(file: str) → None

Sets import hash for PE files. See https://www.mandiant.com/resources/blog/tracking-malware-import-hashing.

set_issuer_sha256() → None

Parses the certificates to build issuer_sha256 chain The match between issuer and subject name is case insensitive, as per RFC 5280 4.1.2.4 section 7.1

set_magic(file: str) → None

Reads magic bytes at beginning of file.

set_metadata(file: str, mgr: PluginManager) → None

set_signatures(file: str) → None

Runs LIEF signature validation and collects certificate chain.

set_ssdeep(file: str) → None

Computes fuzzy hashing using ssdeep. See https://ssdeep-project.github.io/ssdeep/index.html.

set_telfhash(file: str) → None

Sets telfhash for ELF files. See https://github.com/trendmicro/telfhash.

write_database(database: str, outdir: str = '.') → None

Creates or loads json file into duckdb database

Parameters:

databasestr

Path to duckdb database file.

outdirstr

Output directory prefix. Defaults to current working directory.

write_json(outdir: str = '.') → None

Writes observation to json file.

Parameters:

outdirstr

Output directory prefix. Defaults to local directory.

eyeon.parse module

class eyeon.parse.Parse(dirpath: str)

Bases: object

General parser for eyeon. Given a folder path, will return a list of observations.

Parameters:

dirpath (str) – A string specifying the folder to parse.

write_database(database: str, outdir: str = './results') → None

Parse all output json files and add to database

Parameters:

• database (str) – The filepath to the duckdb database

• outdir (str) – A string specifying where results were saved

eyeon.setup_log module

Module contents