- Peekaboo now provides a REST API. The old UNIX domain socket is gone and
there's no longer a long-lived client connection providing a summary report
on multiple samples. Samples are now submitted individually, yielding a job ID
for subsequent attempts at retrieving a report. Both inputs and outputs of
the API are JSON. The AMaViS plugin and peekaboo-util are updated to match.
- Embedded Cuckoo mode and python2 support are removed.
- Breaking change: Equality operators in expressions using regexes do now need
to match the whole string up to the end.
- New database schema version 9.
Removes tables PeekabooMetadata and AnalysisJournal, and adds field
analysis\_time as well as state to SampleInfo.
- Generic rules can now make use of the new analyser `knownreport`
- Introduce cortexreport toolbox analyser to connect to Cortex by TheHive.
There already are a few sub analysers that can be used.
- Reduce amount of data copied from Cuckoo reports for memory efficiency and
security reasons. Reduces the amount of information available in Peekaboo
processing failure dumps as well. URL to access original report via Cuckoo API
is provided instead.
- The CortexAnalyser or more precisely every CortexAnalyser can now access
domain, hash, and ip artifacts from within the Generic rules.
- FileInfoAnalyzerReport has new attibutes md5sum, sha256sum, and ssdeepsum
(now don't get to excited, ssdeep hashes can only be used as strings)
- Input validation of reports adds a new pip requirement: schema
- Availability of external resources, particularly Cuckoo and Cortex APIs is no
longer checked at startup. Lack of availability is reported as individual job
failure.
- PID file is no longer created by default (but can be re-enabled by specifying
a path).