Submitting samples
Note: The sample submission endpoint is currently being extended to allow for fine-grained control over analyses without the use of profiles. Stay tuned for updates.
POST /samples
This endpoint allows both files and URLs to be submitted. Samples can be submitted using automatic mode for high-volume analysis, as well as interactive mode. In interactive mode, you must manually choose how to analyze the sample after static analysis of the sample has completed.
Required fields
| Key | Type | Description |
|---|---|---|
kind |
String | One of: file, url or fetch |
Optional fields
| Key | Type | Default | Description |
|---|---|---|---|
file |
File | The uploaded file. Requires kind to be set to "file" |
|
interactive |
Boolean | false |
If set to true, the analysis profile must be chosen manually after static analysis has finished |
password |
String | A password that may be used to decrypt the provided file, usually an archive (zip/rar/etc) | |
profiles |
Array | A mapping of one or more files to one or more profiles | |
url |
String | The URL to use as sample. Requires kind to be set to "url" or "fetch" |
|
defaults.timeout |
Int | The timeout in seconds for behavioral analysis (maximum 3600) | |
defaults.network |
String | internet |
Controls internet connectivity type for behavioral analysis |
If interactive is set to true, analysis pauses when the sample status reaches
static_analysis. To continue, you must manually start the analysis.
JSON example
The following object describes the parameters one could specify in their submission:
{
// Optionally specify the kind of submission this is. If not defined, kind
// is inferred from the other parameters. See below for examples of each
// type of submission.
"kind": "file" | "url" | "fetch" | "import",
// Submit a URL to use as sample. If kind is "fetch", the URL is downloaded
// as file instead of executed directly in a browser.
"url": "http://example.com/malware.exe",
// Optional: manually specify the filename of the sample. If not specified,
// the filename of the attached file is used. Not applicable to "url"
"target": "my-malware.exe",
// Optional: defaults to false. If set to true, the analysis profile must be
// chosen manually after static analysis has finished.
"interactive": false,
// Optional: A password that may be used to decrypt the provided file,
// usually an archive (zip/rar/etc).
"password": "infected",
// Optional: A mapping of one or more files to one or more profiles.
"profiles": [...],
// Experimental: an optional array of user-defined strings that lets the
// user mark a sample. The resulting tags will be embedded in the reports.
// The total size cannot exceed 1kB and tags cannot be empty.
"user_tags": ["id:123789", "source:smtp"],
// The optional defaults object specifies base parameters to use for
// automatic analysis.
"defaults": {
// Optional: Specify the timeout of the analysis (in seconds, maximum 3600).
"timeout": 60,
// Optional: defaults to "internet". Specify the type of network
// routing to use in behavioral analysis.
"network": "internet" | "drop" | "tor"
}
}
Submitting a file
File submissions are required to be performed using the multipart/form-data
scheme.
The field name of uploaded file should be file and the file should have a
filename. Optionally override the filename with the target field.
Because submitting a JSON payload when submitting a multipart upload can be difficult, the submission parameters can be submitted in one of two ways:
- For simple submissions, encode the parameters as form values instead of JSON.
Nested objects can be specified with a period (e.g.
defaults.network). Array fields can be specified multiple times. - Alternatively, the JSON parameter payload can be encoded as a form
field with key
_json.
See below for examples.
File submission examples
Submitting a file:
$ curl -H 'Authorization: Bearer <YOUR_ACCESS_KEY>' \
-F 'file=@<YOUR_SAMPLE_FILE_PATH>' \
https://tria.ge/api/v0/samples
// Response:
{
"id": "190724-hakvlwz8cx",
"status": "running",
"kind": "file",
"filename": "evil.bat",
"private": true,
"submitted": "2019-07-24T13:32:07.253524Z"
}
Submitting a file with JSON parameters:
$ curl -H 'Authorization: Bearer <YOUR_ACCESS_KEY>' \
-F '_json={"kind":"file","defaults":{"timeout": 60, "network":"drop"}}' \
-F 'file=@<YOUR_SAMPLE_FILE_PATH>' \
https://tria.ge/api/v0/samples
Submitting a password-protected .zip file:
$ curl -H 'Authorization: Bearer <YOUR_ACCESS_KEY>' \
-F password=mysecret \
-F 'file=@<YOUR_ZIP_FILE_PATH>' \
https://tria.ge/api/v0/samples
Submitting a file with custom filename, user tags, and Tor network routing:
$ curl -H 'Authorization: Bearer <YOUR_ACCESS_KEY>' \
-F target=custom-filename.bat \
-F user_tags=4e2000db-6b18-4c25-9876-748aaa808a32 \
-F user_tags=source:1234 \
-F default.network=tor \
-F 'file=@<YOUR_ZIP_FILE_PATH>' \
https://tria.ge/api/v0/samples
Submitting a URL
To submit a URL, you must do one of the following:
- Set the
"url"parameter - Specify
"kind"to be"url"and"target"to be the URL
It's not possible to mix file upload and URL submissions.
Fetching a sample from a URL
In some use-cases it's desirable to submit a URL from which Triage will download the sample itself. E.g., the sample could be located in AWS S3, your own website, etc.
To have Triage fetch the sample from a URL, you must set kind to "fetch" and
include the URL of the sample as url or target.
URL submission examples
Submitting a URL:
$ curl -H 'Authorization: Bearer <YOUR_ACCESS_KEY>' \
-F url=http://example.org/ \
https://tria.ge/api/v0/samples
Fetching a sample from a URL:
# As form:
$ curl -H 'Authorization: Bearer <YOUR_ACCESS_KEY>' \
-F kind=fetch \
-F url=https://hostname.tld/sample.exe \
https://tria.ge/api/v0/samples
# As JSON:
$ curl -H 'Authorization: Bearer <YOUR_ACCESS_KEY>' \
-H 'Content-Type: application/json' \
-d '{"kind": "fetch", "url": "https://hostname.tld/sample.exe"}'
https://tria.ge/api/v0/samples
It's also possible to import an analysis from the public cloud:
$ curl -H 'Authorization: Bearer <YOUR_ACCESS_KEY>' \
-F kind=import \
-F url=https://tria.ge/220202-rs4ehsacen \
https://tria.ge/api/v0/samples
Note that you can also specify just the sample/analysis ID (in this case "220202-rs4ehsacen") instead of the full https://tria.ge/ URL.
Choosing a profile
Choosing a profile is only available to users that are registered with a company.
Selecting a profile allows more to control over the virtual environment that is
used to run the sample.
Selecting a profile requires interactive to be false.
Profiles can be selected by adding them to the profiles array as shown below:
{
"profiles": [
{
// The ID or name of the profile to use.
"profile": "myprofilename",
// If an archive is submitted, specify the filename in the archive this
// profile should be used for (as per this example). This field can be
// omitted if a single file is submitted (alternatively "sample" also
// selects the submitted file).
"pick": "unpack001/something.exe"
}
],
// Other options
}
A file may be selected multiple times with different profiles so it will be executed in different environments.
Please refer to the documentation for POST /samples/{sampleID}/profile.