2.1.1. Malcore engine
2.1.1.1. Presentation
The Malcore detection engine enables:
Malware detection through static and heuristic multi-engine analysis in real time of files
Scanning via 16 anti-virus engines
Scanning capacity of more than 6 million files per 24 hours
Attention
Engine hash names may change over time
2.1.1.2. Events generated
- In the main interface named WEB UI of the GCenter in the
`Alerts`screen (the main interface named WEB UI is described in the Overview of the WEB UI).To view the alerts, select the MALWARE filter and view the list of alerts: see the presentation of the Web UI `Alerts` screen.By clicking on an alert, the detailed information of this alert is displayed: see Example of a Malcore alert in the webui. - In the Kibana UI interfaceTo view the alerts, select the MALWARE filter and view the list of alerts: see the presentation of the Web UI `Alerts` screen.By clicking on an alert, select on the command
`Flow details`then select the arrow to the left of the alert.The interface displayed is the interface named Kibana UI (described in Overview of the Kibana GUI).The detailed information of this alert can be viewed in table or jason format (see Malcore log example).
From the WEB UI main interface, it is possible to :
Download the source file
Send it to the GBox or Intelligence site
Retrieve the analysis report
2.1.1.2.1. Example of a Malcore alert in the webui
Example of a Malcore alert in the webui Malcore log data structure.
2.1.1.2.2. Malcore log example
{
"_index": "malware-2023.10.09-000162",
"_type": "_doc",
"": "Dr-PE4sBeBoubSygq3KJ",
"_version": 1,
"_score": 1,
"_source": {
"proto": "TCP",
"gcap": "gcap-xxxxxxxxx.domain.local",
"uuid": "f639c844-3f6f-40fa-86c4-47ff603880e2",
"host": "gcap-xxxxxxxxx.domain.local",
"timestamp": "2023-10-09T08:23:13.332538+0000",
"email": {
"status": "PARSE_DONE",
"to": [
"test@gouv.fr"
],
"attachment": [
"smtptest-2021-02-24T17-30-01Z.zip"
],
"from": "heartbeat@free.fr"
},
"processing_time": 1341,
"dest_ip": "x.x.x.x",
"detail_scan_time": 245,
"src_port": 36746,
"event_type": "malware",
"@version": "1",
"analyzers_up": 16,
"vlan": [
3044
],
"analyzed_clean": 0,
"analyzed_other": 7,
"file_type_description": "ZIP Archive",
"timestamp_analyzed": "2023-10-09T08:31:04.503Z",
"state": "Infected",
"analyzed_infected": 9,
"dest_port": 25,
"engines_last_update_date": "2023-07-11T11:32:00Z",
"detail_threat_found": "Infected : EICAR-Test-File (not a virus) (B), Virus/EICAR_Test_File, EICAR-Test-File (not a virus), Eicar test file, EICAR_Test_File, Eicar-Signature, Eicar-Test-Signature, EICAR_Test_File, EICAR-Test-File",
"magic_details": "Zip archive data, at least v2.0 to extract",
"total_found": "9/16",
"detail_wait_time": 1096,
"timestamp_detected": "2023-10-09T08:23:13.332Z",
"type": "malcore",
"code": 1,
"file_type": "application/zip",
"smtp": {
"mail_from": "<heartbeat@free.fr>",
"rcpt_to": [
"<test@gouv.fr>"
],
"helo": "gouv.fr"
},
"engine_id": {
"0": {
"threat_details": "EICAR-Test-File (not a virus) (B)",
"id": "038e407ba285f0e01dd30c6e4f77ec19bad5ed3dc866a2904ae6bf46baa14b74",
"scan_result": "INFECTED"
},
"1": {
"threat_details": "Virus/EICAR_Test_File",
"id": "054a20c51cbe9d2cc7d6a237d6cd4e08ab1a67e170b371e632995766d3ba81af",
"scan_result": "INFECTED"
},
"2": {
"threat_details": "Unavailable (permanently_failed)",
"id": "0ff95ddb1117d8f36124f6eac406dbbf9f17e3dd89f9bb1bd600f6ad834c25db",
"scan_result": "NOT_SCANNED"
},
"3": {
"threat_details": "EICAR-Test-File (not a virus)",
"id": "312a189607571ec2c7544636be405f10889e73d061e0ed77ca0eca97a470838d",
"scan_result": "INFECTED"
},
"4": {
"threat_details": "Eicar test file",
"id": "32f2f45e6d9faf46e6954356a710208d412fac5181f6c641e34cb9956a133684",
"scan_result": "INFECTED"
},
"5": {
"threat_details": "Unavailable (production)",
"id": "3bfeb615a695c5ebaac5ade948ffae0c3cfec3787d4625e3abb27fa3c2867f53",
"scan_result": "NOT_SCANNED"
},
"6": {
"threat_details": "EICAR_Test_File",
"id": "4ca73ae4b92fd7ddcda418e6b70ced0481ac2d878c48e61b686d0c9573c331dc",
"scan_result": "INFECTED"
},
"7": {
"threat_details": "Unavailable (production)",
"id": "527db072abcf877d4bdcd0e9e4ce12c5d769621aa65dd2f7697a3d67de6cc737",
"scan_result": "NOT_SCANNED"
},
"8": {
"threat_details": "Unavailable (production)",
"id": "714eca0a6475fe7d2bf9a24bcae343f657b230ff68acd544b019574f1392de77",
"scan_result": "NOT_SCANNED"
},
"9": {
"threat_details": "Unavailable (production)",
"id": "95603b80d80fa3e98b6faf07418a55ed0b035d19209e3ad4f1858f6b46fa070a",
"scan_result": "NOT_SCANNED"
},
"10": {
"threat_details": "Unavailable (production)",
"id": "a9b912e461cec506780d8ad8e785cca6b233ad7c72335c262b0a4ab189afa713",
"scan_result": "NOT_SCANNED"
},
"11": {
"threat_details": "Eicar-Signature",
"id": "ad05e0dc742bcd6251af91bd07ef470c699d5aebbb2055520b07021b14d7380c",
"scan_result": "INFECTED"
},
"12": {
"threat_details": "Eicar-Test-Signature",
"id": "af6868a2b87b3388a816e09d2b282629ccf883b763b3691368a27fbd6f6cd51a",
"scan_result": "INFECTED"
},
"13": {
"threat_details": "Unavailable (production)",
"id": "b14014e40c0e672e050ad9c210a68a5303ce7facabae9eb2ee07ddf97dc0da0e",
"scan_result": "NOT_SCANNED"
},
"14": {
"threat_details": "EICAR_Test_File",
"id": "ecc47e2309be9838d6dc2c5157be1a840950e943f5aaca6637afca11516c3eaf",
"scan_result": "INFECTED"
},
"15": {
"threat_details": "EICAR-Test-File",
"id": "fe665976a02d03734c321007328109ab66823b260a8eea117d2ab49ee9dfd3f1",
"scan_result": "INFECTED"
}
},
"severity": 1,
"fileinfo": {
"md5": "c279be702893....",
"gaps": false,
"state": "CLOSED",
"magic": "Zip archive data, at least v2.0 to extract",
"file_id": 1,
"sha256": "4679e7f2018c19...",
"stored": true,
"filename": "smtptest-2021-02-24T17-30-01Z.zip",
"sid": [
1100043
],
"tx_id": 0,
"size": 51675
},
"flow_id": 1016694867777403,
"gcenter": "gcenter-xxx.domain.local",
"SHA256": "4679e7f2018c19...",
"src_ip": "X.X.X.X",
"in_iface": "monvirt",
"analyzed_error": 0,
"reporting_token": "No GBOX",
"analyzed_suspicious": 0,
"app_proto": "smtp",
"@timestamp": "2023-10-09T08:31:04.503Z"
},
"fields": {
"analyzed_other": [
7
],
"email.status": [
"PARSE_DONE"
],
"fileinfo.file_id": [
1
],
"engine_id.1.id": [
"054a20c51cbe9d2cc7d6a237d6cd4e08ab1a67e170b371e632995766d3ba81af"
],
"type": [
"malcore"
],
"engine_id.9.id": [
"95603b80d80fa3e98b6faf07418a55ed0b035d19209e3ad4f1858f6b46fa070a"
],
"smtp.helo": [
"gouv.fr"
],
"fileinfo.sid": [
1100043
],
"engine_id.1.threat_details": [
"Virus/EICAR_Test_File"
],
"engine_id.4.scan_result": [
"INFECTED"
],
"event_type": [
"malware"
],
"analyzed_suspicious": [
0
],
"engine_id.3.scan_result": [
"INFECTED"
],
"engine_id.1.scan_result": [
"INFECTED"
],
"engine_id.0.scan_result": [
"INFECTED"
],
"engine_id.2.scan_result": [
"NOT_SCANNED"
],
"state": [
"Infected"
],
"total_found": [
"9/16"
],
"engine_id.4.threat_details": [
"Eicar test file"
],
"analyzed_clean": [
0
],
"gcenter": [
"gcenter-int-128-dag.gatewatcher.com"
],
"engine_id.15.threat_details": [
"EICAR-Test-File"
],
"engine_id.6.id": [
"4ca73ae4b92fd7ddcda418e6b70ced0481ac2d878c48e61b686d0c9573c331dc"
],
"dest_ip": [
"x.x.x.x"
],
"engine_id.14.id": [
"ecc47e2309be9838d6dc2c5157be1a840950e943f5aaca6637afca11516c3eaf"
],
"gcap": [
"gcap-int-129-dag.gatewatcher.com"
],
"timestamp_analyzed": [
"2023-10-09T08:31:04.503Z"
],
"engine_id.5.threat_details": [
"Unavailable (production)"
],
"engine_id.15.id": [
"fe665976a02d03734c321007328109ab66823b260a8eea117d2ab49ee9dfd3f1"
],
"engine_id.3.id": [
"312a189607571ec2c7544636be405f10889e73d061e0ed77ca0eca97a470838d"
],
"engine_id.15.scan_result": [
"INFECTED"
],
"email.to": [
"test@gouv.fr"
],
"vlan": [
3044
],
"fileinfo.filename": [
"smtptest-2021-02-24T17-30-01Z.zip"
],
"engine_id.14.threat_details": [
"EICAR_Test_File"
],
"email.from": [
"heartbeat@free.fr"
],
"smtp.mail_from": [
"<heartbeat@free.fr>"
],
"timestamp": [
"2023-10-09T08:23:13.332Z"
],
"engine_id.0.threat_details": [
"EICAR-Test-File (not a virus) (B)"
],
"engine_id.8.id": [
"714eca0a6475fe7d2bf9a24bcae343f657b230ff68acd544b019574f1392de77"
],
"engine_id.7.threat_details": [
"Unavailable (production)"
],
"engine_id.0.id": [
"038e407ba285f0e01dd30c6e4f77ec19bad5ed3dc866a2904ae6bf46baa14b74"
],
"engine_id.5.scan_result": [
"NOT_SCANNED"
],
"engine_id.6.scan_result": [
"INFECTED"
],
"@timestamp": [
"2023-10-09T08:31:04.503Z"
],
"email.attachment": [
"smtptest-2021-02-24T17-30-01Z.zip"
],
"engine_id.7.scan_result": [
"NOT_SCANNED"
],
"engines_last_update_date": [
"2023-07-11T11:32:00.000Z"
],
"fileinfo.size": [
51675
],
"engine_id.9.scan_result": [
"NOT_SCANNED"
],
"engine_id.8.scan_result": [
"NOT_SCANNED"
],
"engine_id.12.id": [
"af6868a2b87b3388a816e09d2b282629ccf883b763b3691368a27fbd6f6cd51a"
],
"detail_threat_found": [
"Infected : EICAR-Test-File (not a virus) (B), Virus/EICAR_Test_File, EICAR-Test-File (not a virus), Eicar test file, EICAR_Test_File, Eicar-Signature, Eicar-Test-Signature, EICAR_Test_File, EICAR-Test-File"
],
"engine_id.12.threat_details": [
"Eicar-Test-Signature"
],
"reporting_token": [
"No GBOX"
],
"analyzed_infected": [
9
],
"fileinfo.tx_id": [
0
],
"engine_id.9.threat_details": [
"Unavailable (production)"
],
"engine_id.13.threat_details": [
"Unavailable (production)"
],
"engine_id.5.id": [
"3bfeb615a695c5ebaac5ade948ffae0c3cfec3787d4625e3abb27fa3c2867f53"
],
"uuid": [
"f639c844-3f6f-40fa-86c4-47ff603880e2"
],
"engine_id.10.threat_details": [
"Unavailable (production)"
],
"flow_id": [
1016694867777403
],
"fileinfo.gaps": [
"false"
],
"file_type": [
"application/zip"
],
"host": [
"gcap-xxxxxxxxx.domain.local"
],
"engine_id.13.id": [
"b14014e40c0e672e050ad9c210a68a5303ce7facabae9eb2ee07ddf97dc0da0e"
],
"dest_port": [
25
],
"detail_scan_time": [
245
],
"fileinfo.md5": [
"c279be702893...."
],
"fileinfo.state": [
"CLOSED"
],
"engine_id.2.id": [
"0ff95ddb1117d8f36124f6eac406dbbf9f17e3dd89f9bb1bd600f6ad834c25db"
],
"engine_id.3.threat_details": [
"EICAR-Test-File (not a virus)"
],
"magic_details": [
"Zip archive data, at least v2.0 to extract"
],
"file_type_description": [
"ZIP Archive"
],
"timestamp_detected": [
"2023-10-09T08:23:13.332Z"
],
"engine_id.12.scan_result": [
"INFECTED"
],
"engine_id.11.scan_result": [
"INFECTED"
],
"engine_id.13.scan_result": [
"NOT_SCANNED"
],
"engine_id.14.scan_result": [
"INFECTED"
],
"engine_id.10.scan_result": [
"NOT_SCANNED"
],
"proto": [
"TCP"
],
"analyzed_error": [
0
],
"engine_id.10.id": [
"a9b912e461cec506780d8ad8e785cca6b233ad7c72335c262b0a4ab189afa713"
],
"engine_id.2.threat_details": [
"Unavailable (permanently_failed)"
],
"processing_time": [
1341
],
"code": [
1
],
"analyzers_up": [
16
],
"engine_id.7.id": [
"527db072abcf877d4bdcd0e9e4ce12c5d769621aa65dd2f7697a3d67de6cc737"
],
"src_ip": [
"x.x.x.x"
],
"fileinfo.stored": [
true
],
"engine_id.8.threat_details": [
"Unavailable (production)"
],
"detail_wait_time": [
1096
],
"@version": [
"1"
],
"engine_id.11.id": [
"ad05e0dc742bcd6251af91bd07ef470c699d5aebbb2055520b07021b14d7380c"
],
"smtp.rcpt_to": [
"<test@gouv.fr>"
],
"severity": [
1
],
"engine_id.11.threat_details": [
"Eicar-Signature"
],
"app_proto": [
"smtp"
],
"fileinfo.sha256": [
"4679e7f2018c19..."
],
"fileinfo.magic": [
"Zip archive data, at least v2.0 to extract"
],
"engine_id.4.id": [
"32f2f45e6d9faf46e6954356a710208d412fac5181f6c641e34cb9956a133684"
],
"SHA256": [
"4679e7f2018c19..."
],
"in_iface": [
"monvirt"
],
"src_port": [
36746
],
"engine_id.6.threat_details": [
"EICAR_Test_File"
]
}
}
2.1.1.2.3. Malcore log data structure
The logs are composed of different parts:
The leading part
The source part defined by "_source"
The field portion defined by "_fields
2.1.1.2.3.1. The header part of Malcore logs
The header section contains:
{ "_index": "malware-2023.10.09-000162", "_type": "_doc", "_id": "Dr-PE4sBeBoubSygq3KJ", "_version": 1, "_score": 1,
Fields |
Required |
Description |
Values or example |
|---|---|---|---|
_index |
Yes |
Internal index |
malware-2023.10.09-000162 |
_type |
Yes |
default type |
_doc |
_id |
Yes |
internal identifier |
Dr-PE4sBeBoubSygq3KJ |
_version |
Yes |
internal version |
1 |
_score |
Yes |
relevance of the response to the request |
1 |
2.1.1.2.3.2. The source part of Malcore logs
The source part defined by "_source" contains:
"_source": {
"proto": "TCP",
"gcap": "gcap-xxxxxxxxx.domain.local",
"uuid": "f639c844-3f6f-40fa-86c4-47ff603880e2",
"host": "gcap-xxxxxxxxx.domain.local",
"timestamp": "2023-10-09T08:23:13.332538+0000",
"email": {
"status": "PARSE_DONE",
"to": [
"test@gouv.fr"
],
"attachment": [
"smtptest-2021-02-24T17-30-01Z.zip"
],
"from": "heartbeat@free.fr"
},
"processing_time": 1341,
"dest_ip": "82.113.11.30",
"detail_scan_time": 245,
"src_port": 36746,
"event_type": "malware",
"@version": "1",
"analyzers_up": 16,
"vlan": [
3044
],
"analyzed_clean": 0,
"analyzed_other": 7,
"file_type_description": "ZIP Archive",
"timestamp_analyzed": "2023-10-09T08:31:04.503Z",
"state": "Infected",
"analyzed_infected": 9,
"dest_port": 25,
"engines_last_update_date": "2023-07-11T11:32:00Z",
"detail_threat_found": "Infected : EICAR-Test-File (not a virus) (B), Virus/EICAR_Test_File, EICAR-Test-File (not a virus), Eicar test file, EICAR_Test_File, Eicar-Signature, Eicar-Test-Signature, EICAR_Test_File, EICAR-Test-File",
"magic_details": "Zip archive data, at least v2.0 to extract",
"total_found": "9/16",
"detail_wait_time": 1096,
"timestamp_detected": "2023-10-09T08:23:13.332Z",
"type": "malcore",
"code": 1,
"file_type": "application/zip",
"smtp": {
"mail_from": "<heartbeat@free.fr>",
"rcpt_to": [
"<test@gouv.fr>"
],
"helo": "gouv.fr"
},
"engine_id": {
"0": {
"threat_details": "EICAR-Test-File (not a virus) (B)",
"id": "038e407ba285f0e01dd30c6e4f77ec19bad5ed3dc866a2904ae6bf46baa14b74",
"scan_result": "INFECTED"
},
"1": {
"threat_details": "Virus/EICAR_Test_File",
"id": "054a20c51cbe9d2cc7d6a237d6cd4e08ab1a67e170b371e632995766d3ba81af",
"scan_result": "INFECTED"
},
"2": {
"threat_details": "Unavailable (permanently_failed)",
"id": "0ff95ddb1117d8f36124f6eac406dbbf9f17e3dd89f9bb1bd600f6ad834c25db",
"scan_result": "NOT_SCANNED"
},
"3": {
"threat_details": "EICAR-Test-File (not a virus)",
"id": "312a189607571ec2c7544636be405f10889e73d061e0ed77ca0eca97a470838d",
"scan_result": "INFECTED"
},
"4": {
"threat_details": "Eicar test file",
"id": "32f2f45e6d9faf46e6954356a710208d412fac5181f6c641e34cb9956a133684",
"scan_result": "INFECTED"
},
"5": {
"threat_details": "Unavailable (production)",
"id": "3bfeb615a695c5ebaac5ade948ffae0c3cfec3787d4625e3abb27fa3c2867f53",
"scan_result": "NOT_SCANNED"
},
"6": {
"threat_details": "EICAR_Test_File",
"id": "4ca73ae4b92fd7ddcda418e6b70ced0481ac2d878c48e61b686d0c9573c331dc",
"scan_result": "INFECTED"
},
"7": {
"threat_details": "Unavailable (production)",
"id": "527db072abcf877d4bdcd0e9e4ce12c5d769621aa65dd2f7697a3d67de6cc737",
"scan_result": "NOT_SCANNED"
},
"8": {
"threat_details": "Unavailable (production)",
"id": "714eca0a6475fe7d2bf9a24bcae343f657b230ff68acd544b019574f1392de77",
"scan_result": "NOT_SCANNED"
},
"9": {
"threat_details": "Unavailable (production)",
"id": "95603b80d80fa3e98b6faf07418a55ed0b035d19209e3ad4f1858f6b46fa070a",
"scan_result": "NOT_SCANNED"
},
"10": {
"threat_details": "Unavailable (production)",
"id": "a9b912e461cec506780d8ad8e785cca6b233ad7c72335c262b0a4ab189afa713",
"scan_result": "NOT_SCANNED"
},
"11": {
"threat_details": "Eicar-Signature",
"id": "ad05e0dc742bcd6251af91bd07ef470c699d5aebbb2055520b07021b14d7380c",
"scan_result": "INFECTED"
},
"12": {
"threat_details": "Eicar-Test-Signature",
"id": "af6868a2b87b3388a816e09d2b282629ccf883b763b3691368a27fbd6f6cd51a",
"scan_result": "INFECTED"
},
"13": {
"threat_details": "Unavailable (production)",
"id": "b14014e40c0e672e050ad9c210a68a5303ce7facabae9eb2ee07ddf97dc0da0e",
"scan_result": "NOT_SCANNED"
},
"14": {
"threat_details": "EICAR_Test_File",
"id": "ecc47e2309be9838d6dc2c5157be1a840950e943f5aaca6637afca11516c3eaf",
"scan_result": "INFECTED"
},
"15": {
"threat_details": "EICAR-Test-File",
"id": "fe665976a02d03734c321007328109ab66823b260a8eea117d2ab49ee9dfd3f1",
"scan_result": "INFECTED"
}
},
"severity": 1,
"fileinfo": {
"md5": "c279be702893....",
"gaps": false,
"state": "CLOSED",
"magic": "Zip archive data, at least v2.0 to extract",
"file_id": 1,
"sha256": "4679e7f2018c19...",
"stored": true,
"filename": "smtptest-2021-02-24T17-30-01Z.zip",
"sid": [
1100043
],
"tx_id": 0,
"size": 51675
},
"flow_id": 1016694867777403,
"gcenter": "gcenter-int-128-dag.gatewatcher.com",
"SHA256": "4679e7f2018c19...",
"src_ip": "x.x.x.x",
"in_iface": "monvirt",
"analyzed_error": 0,
"reporting_token": "No GBOX",
"analyzed_suspicious": 0,
"app_proto": "smtp",
"@timestamp": "2023-10-09T08:31:04.503Z"
}
Fields |
Required |
Description |
Values or example |
|---|---|---|---|
@timestamp |
Yes |
Timestamp of the processing of the alert by the GCenter (corresponds to the passage in logstash) |
2023-10-09T08:31:04.503Z |
@version |
yes |
version of document |
1 |
analyzed_clean |
yes |
Number of engines with CLEAN result |
0 |
analyzed_error |
yes |
Number of engines with FAILED, CLEANED or DELETED result |
0 |
analyzed_infected |
Yes |
Number of engines with INFECTED result |
9 |
analyzed_other |
yes |
Number of engines with result other than CLEAN, INFECTED or SUSPICIOUS |
7 |
analyzed_suspicious |
Yes |
Number of engines with SUSPICIOUS result |
0 |
analyzers_up |
Yes |
Total number of engines used for analysis |
16 |
app_proto |
Yes |
Application protocol of the source stream of the file (http, ftp, smtp, smb)
In the case of the http protocol, additional fields are displayed. They are listed in the summary table of counters: category "http"
|
smtp |
code |
Yes |
malcore analysis return code
See the table Malcore engine results
|
1 |
dest_ip (or IP in webui) |
Yes |
Destination IP address |
x.x.x.x |
dest_port (or PORTs in webui) |
No |
Port of destination |
25 |
detail_scan_time (or Scan time in webui) |
No |
File analysis time (ms) by malcore engines |
245 |
detail_threat_found ( or Name and Threats found in webui) |
Yes |
Comma separated list of detected threat names |
"Infected: EICAR-Test-File (not a virus) (B).... |
detail_wait_time |
No |
Time elapsed between sending the file to the node and receiving the engine result in milliseconds |
1096 |
Description |
yes |
Threat description field. Only present in web ui |
An adversary can rely on specific actions of a user to obtain execution. . |
Yes |
See Summary table of counters: "email" category |
NA |
|
engine_id
- x
- id
- threat_details
- scan_result
|
No |
List of malcore engines that analyzed the file with the associated result
- malcore engine number (0 to 15)
- id
- detail of the threat
- analysis result (INFECTED or CLEAN)
|
- 4
- 038e407ba285 f..
- EICAR-Test-File (not a virus) (B)
- INFECTED
|
engines_last_update_date (or def time in webui) |
Yes |
Date of last update of malcore engines |
2023-07-11T11:32:00Z |
event_type |
Yes |
Event type: used to index an event in logstash. Set to 'malware' |
malware |
file_type |
yes |
Type of file analyzed |
application/zip |
fileinfo |
Yes |
Information on the file
see Summary table of counters: category "fileinfo"
|
NA |
file_type_description |
Yes |
Description of the file type |
ZIP Archive |
flow_id |
Yes |
Unique identifier of the flow. Allows to find the associated fileinfo |
1016694867777403 |
gcap |
Yes |
Name of the gcap associated with the alert |
gcap-xxx.domain.local |
gcenter |
Yes |
GCenter name associated with alert |
gcenter-xxx.domain.local |
host |
Yes |
Name of the equipment associated with the alert |
gcap-xxx.domain.local |
Hostname (webui) |
yes |
Host name of the threat originator |
if the hostname is not present, its IP is displayed |
in_iface |
yes |
GCap input interface used for capture (monx or monvirt) |
monvirt |
magic_details |
Detailed magic information (payload type) |
Zip archive data, at least v2.0 to extract |
|
MITRE ASSOCIATIONS |
yes |
Threat MITRE category |
Execution |
processing_time |
yes |
Analysis processing time |
1341 |
proto |
yes |
Protocol detected by Sigflow |
TCP |
reporting_token |
Yes |
Token used with GBox
If no GBox then message NO GBOX
|
GBOX# |
severity |
Yes |
Analysis result code. |
Between 0 and 3.
0=clean, 1=infected, 2=suspicious, 3=Other
|
SHA256 |
Yes |
SHA256 hash of the analyzed file. |
4679e7f2018c19... |
smtp |
Yes |
Category smtp detailed below |
|
src_ip (or IP in webui) |
Yes |
Source IP address detected by Sigflow |
X.X.X.X |
src_port (or PORTs in webui) |
Yes |
Source port detected by Sigflow |
36746 |
state |
Yes |
Malcore engine analysis result
Result is "Infected" as soon as the result of an engine is "Infected"
|
Infected |
timestamp |
Yes |
Timestamp of the processing of the alert by the GCenter (corresponds to the passage in logstash) |
2023-10-09T08:23:13.332538+0000 |
timestamp analyzed |
Yes |
Date and time of last file scan |
2023-10-09T08:31:04.503Z |
timestamp detected |
Yes |
Timestamp of file capture by Gcap |
2023-10-09T08:23:13.332Z |
total_found |
Yes |
Number of engines that detected the file as infected divided by the total number of engines |
XX/YY with YY between 0 and 16 and XX between 0 and YY; example 9/16 |
type |
Yes |
Type of event |
Malcore or malcore_retroanalyzer |
uuid or id |
Yes |
Unique identifier of the alert |
f639c844-3f6f-40fa-86c4-47ff603880e2 |
vlan |
No |
Vlan number |
3044 |
Return code |
Result |
Description |
|---|---|---|
0 |
No Threat Detected |
File was analyzed and declared healthy |
1 |
Infected |
File was scanned and declared infected |
2 |
Suspicious |
The file was analyzed and declared as likely to be infected:
some Malcore engines have detected this file as malicious..
|
3 |
Failed Scan |
An error occurred during the run. |
7 |
Skipped - Whitelisted |
The file is not analyzed and considered healthy since this file is defined in the Malcore whitelist |
8 |
Skipped – Blacklisted |
The file is not scanned and considered infected since this file is defined in the Malcore blacklist |
9 |
Exceeded Archive Depth |
The number of times the file is compressed is limited (max recursion level). The message indicates that the defined value has been exceeded. |
10 |
Not scanned |
Engine not available at time of run |
12 |
Encrypted Archive |
The archive is encrypted and therefore not parsable: the password indicated does not work |
13 |
Exceeded Archive Size |
The maximum file size should not exceed the defined value (maximum value 10MB). The analyzed archive is larger than the value set |
14 |
Exceeded Archive File Number |
The maximum number of files in the archive must not exceed the defined value. The analyzed archive contains a number of files greater than the defined value |
15 |
Password Protected Document |
Solution detected inconsistent behavior with password protected document |
16 |
Exceeded Archive Timeout |
The archive scan time has been exceeded, Malcore engines are not responding within the deadline |
17 |
Filetype Mismatch |
File type mismatch problem: the solution detects the file extension with its contents and compares it with the file extension displayed |
18 |
Potentially Vulnerable File |
Potentially vulnerable files are files associated with identified vulnerable components or applications |
19 |
Cancelled |
User explicitly canceled this file analysis request |
21 |
Yara Rule Matched |
The verdict of the result is: a Yara rule matches (malware sample identification) |
22 |
Potentially Unwanted |
Solution detected potentially unwanted applications |
23 |
Unsupported File Type |
File type not supported by the solution |
255 |
In Progress |
Analysis in progress.. |
Field |
Required |
Description |
Values or example |
|---|---|---|---|
status |
Yes |
Status of mail |
PARSE_DONE |
for |
Yes |
Mail recipient |
|
attachment |
Yes |
Content attached document |
smtptest-2021-02-24T17-30-01Z.zip |
of |
Yes |
Mailer |
Field |
Required |
Description |
Values or example |
|---|---|---|---|
mail_from |
Yes |
Mailer |
|
rcpt_to |
Yes |
Mail recipient |
|
helo |
Yes |
Domain name |
gouv.fr |
Field |
Required |
Description |
Values or example |
|---|---|---|---|
file_id |
Yes |
File ID |
1 |
filename |
Yes |
File name |
smtptest-2021-02-24T17-30-01Z.zip |
gaps |
Yes |
Monitoring inconsistency in file size |
false |
magic |
Yes |
File format identifier (Magic signature): detected by Sigflow using a reduced database. |
Zip archive data, at least v2.0 to extract |
md5 |
Yes |
MD5 hash of the analyzed file |
c279be702893.... |
sha256 |
Yes |
SHA256sum of the analyzed file |
4679e7f2018c19... |
sid |
yes |
Alert ID. Must be unique. |
1100043 |
size |
Yes |
File size |
51675 |
state |
Yes |
Completeness of the analyzed file (CLOSED) otherwise TRUNCATED.
The Sigflow file-store.stream-depth variable defines the size of the reconstructed files.
The file is TRUNCATED if its size is > File-store stream depth (10 MB) by default.
|
CLOSED |
stored |
Yes |
Still at "true", the file was stored on disk for further analysis |
true |
tx_id |
Yes |
transaction identification (query/response pair) |
1 |
fileinfo_potentially _involved |
No |
This field appears only in the case of retroact
it indicates the list of _doc id of less than 24 hours that are concerned by the rescan
|
1 |
Field |
Required |
Description |
Values or example |
|---|---|---|---|
hostname |
yes |
Host name to which this HTTP event is assigned |
synonymi.justdance.com |
http_content_type |
yes |
Type of data returned (for example application/x-gzip) |
application/x-shockwave-flash |
http_method |
yes |
HTTP method (ex: GET, POST, HEAD) |
GET |
http_user_agent |
yes |
The user agent of the software used |
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; ...) |
length |
yes |
HTTP body content size |
77068 |
protocol |
yes |
Protocol / HTTP version (ex: HTTP/1.1) |
HTTP/1.1 |
status |
yes |
HTTP status code |
200 |
url |
yes |
URL of host name accessed |
/6SuCHKKkf8Sf1aFXJPqD0R6r... |
2.1.1.2.3.3. The fields part of Malcore logs
The field part defined by "fields" contains the same fields as in the source part: refer to the source part section.
2.1.1.3. View the status of Malcore
The status and status of each engine included in Malcore
The latest update of each of them
2.1.1.4. Update of malcore
2.1.1.5. Gmalcore status and configuration
The management interface enables:
To modify the engine parameters: see the Setting up GBox and the Malcore and Retroact engines and activate the GBox procedure.
Manage hash256 fingerprint lists to declare that the files are:
Healthy (for whitelist)
Is compromised (for blacklist)