irt/docker_apthunter
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Pin ubuntu:22.04, work around upstream rot, smoke test

Browse Source 
APT-Hunter is unmaintained and breaks on modern dependency versions.
Workarounds:
- Pin ubuntu:22.04 (Python 3.10) — base for venv install.
- Pin netaddr<1.0 — 1.x removed IPAddress.is_private().
- Add flatten_json (missing from upstream requirements.txt).
- Patch EvtxDetection.py via sed: strip ' UTC' suffix from timestamps
  before parse() since dateutil rejects 'Z UTC' (Microsoft EVTX bug).

start.sh: pre-mkdir the nested output/ dir APT-Hunter expects.
test_smoke.sh: glob the actually-produced /output/apthunter_<ts>/output/
nested layout. Default SUBSET=DeepBlueCLI documented; YamatoSecurity is a
working alternative and avoids the few corpora that hit other parser bugs.

Validated end-to-end on amd64 Linux: 5/5 PASS on YamatoSecurity (16 EVTX),
1753 detections, 24K xlsx + 84K TimeSketch CSV produced.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
tabledevil
2026-05-07 19:20:19 +02:00
parent 4834bfec45
commit 7ad1cc8465
5 changed files with 110 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.gitignore
+1 -1
View File
@@ -1 +1 @@
old-tag.txt
test-data/