Thunderstorm#
README
Thunderstorm#
The Thunderstorm analyzer submits a file sample to a local or public THOR Thunderstorm service and processes the scan result
Requirements#
Scope#
THOR Thunderstorm is a web service version of the well-known scanner THOR. THOR focuses on APTs, hacking activity, traces of hacking activity and file anomalies like obfuscation techniques, suspicious PE packers or PE header anomalies.
Matches#
The reports contain useful meta data and a list of matching rules. Each rule links to a related public report or states that the rules was based on internal research.
The reports include a total score and sub scores defined in the matching YARA rules.
The score and level indicate the criticality of the finding.
Access to Thunderstorm#
THOR Thunderstorm is a high-speed, multi-threaded, caching scan service that is licensed and installed on-premise on the Linux system of your choice. Nextron systems offers access to test systems with the FQDN thunderstorm.nextron-systems.com on request.
THOR_Thunderstorm_ScanSample#
Author: Florian Roth
License: AGPL-V3
Version: 0.3.1
Supported observables types:
- file
Registration required: True
Subscription required: True
Free subscription: False
Third party service: https://www.nextron-systems.com/thor-thunderstorm/
Description#
Submits sample to an on-premise THOR Thunderstorm web service and processes the scan result
Configuration#
| thunderstorm_server | Thunderstorm Server |
|---|---|
| Default value if not configured | thunderstorm.nextron-systems.com |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | True |
| thunderstorm_port | Thunderstorm Port |
|---|---|
| Default value if not configured | 8080 |
| Type of the configuration item | number |
| The configuration item can contain multiple values | False |
| Is required | True |
| thunderstorm_source | Source System |
|---|---|
| Default value if not configured | cortex-analyzer |
| Type of the configuration item | string |
| The configuration item can contain multiple values | False |
| Is required | False |
| thunderstorm_ssl | Use an SSL encrypted HTTP connection |
|---|---|
| Default value if not configured | False |
| Type of the configuration item | boolean |
| The configuration item can contain multiple values | False |
| Is required | False |
| thunderstorm_ssl_verify | Verify the SSL certificate of the remote service |
|---|---|
| Default value if not configured | False |
| Type of the configuration item | boolean |
| The configuration item can contain multiple values | False |
| Is required | False |
Templates samples for TheHive#
