Update usages with expected location of 7zz binary (#2667)

Author: ChrisThibodeaux

.github/actions/python-setup/action.yml

@@ -12,7 +12,7 @@ runs:
       if: ${{ runner.os == 'Linux' }}
       shell: bash
       run: |
-        sudo apt update && sudo apt-get install -y --no-install-recommends libxml2-dev libxslt-dev python3-dev libgeoip-dev ssdeep libfuzzy-dev 7zip innoextract unrar upx
+        sudo apt update && sudo apt-get install -y --no-install-recommends libxml2-dev libxslt-dev python3-dev libgeoip-dev ssdeep libfuzzy-dev innoextract unrar upx
 
     - name: Install poetry
       shell: bash

.github/workflows/python-package.yml

@@ -32,6 +32,12 @@ jobs:
         with:
           python-version: ${{ matrix.python-version }}
 
+      - name: Setup 7zz binary
+        run: |
+          mkdir -p data/
+          wget -q https://github.com/CAPESandbox/community/raw/master/data/7zz -O data/7zz
+          chmod +x data/7zz
+
       - name: Install pyattck
         run: |
           poetry run pip install git+https://github.com/CAPESandbox/pyattck maco

conf/default/processing.conf.default

@@ -174,7 +174,7 @@ filesdir = files
 # Amount of text to carve from plaintext files (bytes)
 buffer = 8192
  #Used for creating an archive of extracted files
-7zbin = /usr/bin/7z
+7zbin = data/7zz
 zippass = infected
 # Runmode "cli" options
 bin = /usr/bin/suricata

conf/default/reporting.conf.default

@@ -157,7 +157,7 @@ zipprocdump = yes
 zipprocstrings = yes
 # pyzipper or 7zip
 compressiontool = pyzipper
-sevenzippath = /usr/bin/7z
+sevenzippath = data/7zz
 
 # Community
 [misp]

lib/cuckoo/common/integrations/file_extra_info.py

@@ -114,11 +114,14 @@
     unautoit_binary = os.path.join(CUCKOO_ROOT, integration_conf.UnAutoIt_extract.binary)
 if integration_conf.Inno_extract.binary:
     innoextact_binary = os.path.join(CUCKOO_ROOT, integration_conf.Inno_extract.binary)
-sevenzip_binary = "/usr/bin/7z"
+sevenzip_binary = os.path.join(CUCKOO_ROOT, "data/7zz")
 if integration_conf.SevenZip_unpack.binary:
     tmp_sevenzip_binary = os.path.join(CUCKOO_ROOT, integration_conf.SevenZip_unpack.binary)
     if path_exists(tmp_sevenzip_binary):
         sevenzip_binary = tmp_sevenzip_binary
+# fallback
+if not path_exists(sevenzip_binary):
+    sevenzip_binary = "/usr/bin/7z"
 
 if processing_conf.trid.enabled:
     trid_binary = os.path.join(CUCKOO_ROOT, processing_conf.trid.identifier)
@@ -688,7 +691,7 @@ def msi_extract(file: str, *, filetype: str, **kwargs) -> ExtractorReturnType:
         return
 
     extracted_files = []
-    # sudo apt install msitools or 7z
+    # sudo apt install msitools
     with extractor_ctx(file, "MsiExtract", prefix="msidump_", folder=tools_folder) as ctx:
         tempdir = ctx["tempdir"]
         output = False
@@ -707,7 +710,7 @@ def msi_extract(file: str, *, filetype: str, **kwargs) -> ExtractorReturnType:
             ]
         else:
             output = run_tool(
-                ["7z", "e", f"-o{tempdir}", "-y", file],
+                [sevenzip_binary, "e", f"-o{tempdir}", "-y", file],
                 universal_newlines=True,
                 stderr=subprocess.PIPE,
             )

modules/processing/suricata.py

@@ -71,7 +71,7 @@ def run(self):
         SURICATA_FILES_DIR = self.options.get("filesdir")
         SURICATA_RUNMODE = self.options.get("runmode")
         SURICATA_FILE_BUFFER = self.options.get("buffer", 8192)
-        Z7_PATH = self.options.get("7zbin")
+        Z7_PATH = os.path.join(CUCKOO_ROOT, self.options.get("7zbin"))
         FILES_ZIP_PASS = self.options.get("zippass")
 
         # Socket
@@ -396,7 +396,7 @@ def run(self):
                     log.warning("Unable to delete suricata file subdirectories: %s", e)
 
         if SURICATA_FILES_DIR_FULL_PATH and path_exists(SURICATA_FILES_DIR_FULL_PATH) and Z7_PATH and path_exists(Z7_PATH):
-            # /usr/bin/7z a -pinfected -y files.zip files-json.log files
+            # /opt/CAPEv2/data/7zz a -pinfected -y files.zip files-json.log files
             cmdstr = f"cd {self.logs_path} && {Z7_PATH} a -p{FILES_ZIP_PASS} -y files.zip {SURICATA_FILE_LOG} {SURICATA_FILES_DIR}"
             ret, _, stderr = self.cmd_wrapper(cmdstr)
             if ret > 1: