I just released pollen version 1.1, codename Tsim Sha Tsui. I’m sure some of you know where in the world that is, which may gave you an idea where this code was written :)
This newer version has much cleaner code and I think significantly better analyst options as well. Here’s what’s included in version 1.1:
- Command-line usage; no need for the shell all the time! Pollen now includes the
--logfileoptions, which allow the analyst to update task logs and upload supporting files _directly from the command line_. This is a HUGE feature, and is meant to assist analysts in frequently updating tasks as they work through cases. For example:
Let’s say an analyst is working through a task, and is constantly uncovering artifacts, findings, etc. Now, with pollen, they can simply type the following:
python3 pollen.py --logfile findings.txt --log Attacker IPs and C2 callouts, extracted from Apache web logs, sorted, and uniqued
The above command will grab the file findings.txt and attach it to the log message “Attacker IPs and C2 callouts, extracted from Apache web logs, sorted, and uniqued”, and update the task log. Now, the analyst can go right back to performing analysis, and trust that their notes have been appropriately recorded.
Note that the analyst will need to preconfigure a case and task for the above to work.
- Pollen now comes with colors! Users can now select up to two colors for personalizing the pollen shell! I noticed during analysis that with multiple tabs open, pollen can easily get looked over or blend in with the other tasks. The colorized template now allows for easier visual recognition, and provides for a richer experience.
Here’s an example of a two-color terminal setup:
The above constitutes the major updates, however there are some additional code improvements, comments, and better logic walkthrough. There is still much more to be done, however I hope you enjoy this new version of pollen!
Code can be found over here: https://github.com/bromiley/pollen