Allow analysts to submit individual files to Strelka

[zfcarsonb]

As an analyst, it would be really useful to be able to submit individual files to Strelka for scanning. While Zeek automatically submits files to Strelka, it can only do so for files that traverse the network, and only for files that were transmitted in plain-text. For example, files transmitted via TLS cannot be effectively scanned.

The idea is, if an analyst discovers a suspicious file, they could manually submit it to Strelka and get a scan result back. Additionally, this would make testing new YARA rules in the Detections module much easier.

I have two different ideas for making this possible:

1. Run the Strelka UI container as a docker container, and add it to the list of external tools in SOC. Saltstack would configure the connection to the appropriate so-strelka-* container.
   • Strelka UI: https://github.com/target/strelka-ui
2. Add native functionality to SOC to submit files to Strelka (e.g., from the grid page, like PCAP/EVTX upload). This could be accomplished on the backend using something like the strelka-oneshot CLI tool.

Thanks for all of the hard work you all do to make Security Onion as awesome as it is!

[cm-ops]

A file can be place in /nsm/strelka/unprocessed/ and Strelka will `analyze.

[zfcarsonb]

Oh nice! I didn't know files could be dropped there directly.

Thanks!