-
Notifications
You must be signed in to change notification settings - Fork 1
/
service_manifest.yml
84 lines (72 loc) · 2.1 KB
/
service_manifest.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
name: DocumentPreview
version: $SERVICE_TAG
description: Use OCR to detect for signs of malicious behaviour in Office and PDF files
accepts: document/(pdf$|office/.*|email|mobi|epub)|code/html|text/csv
rejects: empty|metadata/.*|document/office/onenote
stage: CORE
category: Static Analysis
file_required: true
timeout: 60
disable_cache: false
enabled: true
is_external: false
licence_count: 0
submission_params:
# Default is selected for phishing campaigns that tend to be singular-paged documents
- name: max_pages_rendered
type: int
value: 5
default: 5
# Run OCR on the first N pages
- name: run_ocr_on_first_n_pages
type: int
value: 1
default: 1
- name: load_email_images
type: bool
value: false
default: false
- name: analyze_render
type: bool
value: false
default: false
- name: save_ocr_output
type: list
value: "no"
default: "no"
list: ["no", "as_extracted", "as_supplementary"]
config:
# List of OCR terms to override defaults in service base for detection
# See: https://github.com/CybercentreCanada/assemblyline-v4-service/blob/master/assemblyline_v4_service/common/ocr.py
ocr:
banned: [] # Banned terms
macros: [] # Terms that indicate macros
ransomware: [] # Terms that indicate ransomware
browser_options:
capabilities:
pageLoadStrategy: normal
# Set browser to run headless without scrollbars
arguments:
- "--headless"
- "--no-sandbox"
- "--hide-scrollbars"
- "--disable-dev-shm-usage"
heuristics:
- heur_id: 1
name: OCR Detection Found
description: Suspicious verbage found in OCR inspection.
score: 0
signature_score_map:
macros_strings: 100
ransomware_strings: 100
banned_strings: 1
filetype: "*"
- heur_id: 2
name: Potential Phishing
description: Single page document including a link to 'click'
score: 300
filetype: "*"
docker_config:
image: ${REGISTRY}cccs/assemblyline-service-document-preview:$SERVICE_TAG
cpu_cores: 1
ram_mb: 4096