In part one we went through installing foorep. In this part I will introduce you to using the command line interface. If you want an introduction to what foorep is and why I created it, please read this post.
You can interact with foorep in several ways. You can use the command line interface, click in the built in webUI or integrate it directly into your own python programs.
|The interface is designed to have sub-commands for different actions|
$ foorep add /path/to/sample
This command adds a sample to the repository. The system runs all the available plugins to gather more information about the file. For example, if it is a PE file the pefile-plugin will run and if it is a image with EXIF data in it, the exif-plugin will parse it and add the info to the database and so on.
$ foorep remove <id>
This command removes a sample from the repository.
$ foorep search <query>
This command searches the repository for matching samples. Today you can search after md5,sha1,sha256,sha512 and filename. The search functionality will get more sophisticated.
$ foorep dump <id>
This command will dump the raw JSON document to stdout. Used mostly for debugging
$ foorep annotate -t <type> -m <content>
Annotations is a big deal in foorep. It is here that you add value and context to your samples. For example, both comments and tags is simple annotations. All the results from the plugins is saved as annotations in the database.
$ foorep list -l 10
This command list the samples in the database. Add -l to limit the output, or use -l 0 to list all.
I hope that this will get you going using foorep. Next time we will look at using the built in web interface. Here is a preview: