The official changelog is located here, but the major improvements are described below.
Upgrading MASTIFF to the latest version is easy. You can follow this process:
- Download and install pydeep.
- Download MASTIFF 0.6.0 and untar it.
- Run "make test" to ensure you are not missing any dependencies.
- Run "sudo make install" to install the latest version.
- Copy the analysis plug-ins (the plugins directory in the tarball) to your location of choice and ensure the config file is pointing to that directory.
- Add any new options to your MASTIFF config file. The easiest way may be to use sdiff.
Queue
MASTIFF now has a queueing system so multiple files can be analyzed by the framework. To utilize this, give MASTIFF a directory instead of a file to analyze. It will find all files in that directory and its subdirectories, add them to the queue, and begin processing.
The queue is maintained within the MASTIFF database. So, if you have to stop MASTIFF in the middle of its run, it will begin re-processing the queue when its restarted. Some additional options have been added to allow you to work with the queue:
- --clear-queue: This will clear the current queue.
- --ignore-queue: This will ignore the queue and just process the file you give it.
Fuzzy Hashing
Fuzzy hashing is not something new within MASTIFF. However, we have changed the Python library used for it. Previously, we used pyssdeep but found that there were a number of stability issues with it on OSX and when processing large amounts of files.
Therefore, we have switched to pydeep (https://github.com/kbandla/pydeep). Our testing has shown it to be much more stable thus far.
libmagic
There was some confusion on which Python libmagic libraries to use when installing MASTIFF. To help alleviate some of that, the framework has been modified to use two different libmagic libraries:
- libmagic Python extensions (ftp://ftp.astron.com/pub/file/) - This may be installed through the source code or is the library installed as python-magic in most Linux code repositories.
- Python-magic (https://github.com/ahupp/python-magic/) - This may be installed through the source code or via Python pip.
Other Changes
A number of other bug fixes and improvements have been made. Please see the changelog file for a complete list.
As always, if you have any questions, please email mastiff-project@korelogic.com.
We have alot of great things coming down the pipe for MASTIFF, but if you have any suggestions, enhancements or plug-ins, let us know!
6 comments:
Not working for me. I run linux mint 15 x64 at work and I can't get this installed. pydeep complains that python.h can't be found, and when I try to install python-dev or any variation thereof, I get either the error "no installation candidate", "package not found" or " is already installed and at its latest version".
Somehow I missed this comment (a while ago). If you are still having issues, let me know. This is typically seen because pydeep is missing a dependency.
Anon: I had the exact same error with mint 15 x64 - can you install the package 'python2.7-dev'? that worked for me
I am also having the same problem with pydeep
Ah the joys of not being notified of comments. Sorry for the delay in responses.
pydeep requires python-dev to be installed. On Mint, you should be able to do "sudo aptitude install python-dev". If that doesn't work, do "sudo aptitude search python | grep dev" and see what pulls up.
I have a question about "The file type of the file being analyzed is automatically determined.",the file type of the file is not sure before analyzing.
Post a Comment