From f8f785970fb2042cb2c50a55249eb0448a737550 Mon Sep 17 00:00:00 2001 From: Terrtia Date: Wed, 14 Sep 2022 11:41:24 +0200 Subject: [PATCH] chg: [pgpdump] check trackers on extracted metadata --- bin/PgpDump.py | 14 ++++++++++++++ bin/trackers/Tracker_Regex.py | 5 +++-- bin/trackers/Tracker_Term.py | 5 +++-- bin/trackers/Tracker_Yara.py | 8 ++++++-- 4 files changed, 26 insertions(+), 6 deletions(-) diff --git a/bin/PgpDump.py b/bin/PgpDump.py index 1f7554f4..71f8896d 100755 --- a/bin/PgpDump.py +++ b/bin/PgpDump.py @@ -24,6 +24,10 @@ from packages import Paste from packages import Pgp +from trackers.Tracker_Term import Tracker_Term +from trackers.Tracker_Regex import Tracker_Regex +from trackers.Tracker_Yara import Tracker_Yara + class TimeoutException(Exception): pass @@ -152,6 +156,10 @@ if __name__ == '__main__': #config_section = 'PgpDump' config_section = 'PgpDump' + tracker_module_term = Tracker_Term() + tracker_module_regex = Tracker_Regex() + tracker_module_yara = Tracker_Yara() + # Setup the I/O queues p = Process(config_section) @@ -245,7 +253,13 @@ if __name__ == '__main__': for name_id in set_name: print(name_id) Pgp.pgp.save_item_correlation('name', name_id, message, item_date) + tracker_module_term.compute(message, item_content=name_id) + tracker_module_regex.compute(message, item_content=name_id) + tracker_module_yara.compute(message, item_content=name_id) for mail_id in set_mail: print(mail_id) Pgp.pgp.save_item_correlation('mail', mail_id, message, item_date) + tracker_module_term.compute(message, item_content=name_id) + tracker_module_regex.compute(message, item_content=name_id) + tracker_module_yara.compute(message, item_content=name_id) diff --git a/bin/trackers/Tracker_Regex.py b/bin/trackers/Tracker_Regex.py index acf29eb1..bfd8c685 100755 --- a/bin/trackers/Tracker_Regex.py +++ b/bin/trackers/Tracker_Regex.py @@ -50,7 +50,7 @@ class Tracker_Regex(AbstractModule): self.redis_logger.info(f"Module: {self.module_name} Launched") - def compute(self, item_id): + def compute(self, item_id, item_content=None): # refresh Tracked regex if self.last_refresh < Tracker.get_tracker_last_updated_by_type('regex'): self.dict_regex_tracked = Term.get_regex_tracked_words_dict() @@ -60,7 +60,8 @@ class Tracker_Regex(AbstractModule): item = Item(item_id) item_id = item.get_id() - item_content = item.get_content() + if not item_content: + item_content = item.get_content() for regex in self.dict_regex_tracked: matched = regex_helper.regex_search(self.module_name, self.redis_cache_key, self.dict_regex_tracked[regex], item_id, item_content, max_time=self.max_execution_time) diff --git a/bin/trackers/Tracker_Term.py b/bin/trackers/Tracker_Term.py index 7fa60c3b..59b15c59 100755 --- a/bin/trackers/Tracker_Term.py +++ b/bin/trackers/Tracker_Term.py @@ -61,7 +61,7 @@ class Tracker_Term(AbstractModule): self.redis_logger.info(f"Module: {self.module_name} Launched") - def compute(self, item_id): + def compute(self, item_id, item_content=None): # refresh Tracked term if self.last_refresh_word < Term.get_tracked_term_last_updated_by_type('word'): self.list_tracked_words = Term.get_tracked_words_list() @@ -78,7 +78,8 @@ class Tracker_Term(AbstractModule): # Cast message as Item item = Item(item_id) item_date = item.get_date() - item_content = item.get_content() + if not item_content: + item_content = item.get_content() signal.alarm(self.max_execution_time) diff --git a/bin/trackers/Tracker_Yara.py b/bin/trackers/Tracker_Yara.py index ab0a5310..5346035d 100755 --- a/bin/trackers/Tracker_Yara.py +++ b/bin/trackers/Tracker_Yara.py @@ -47,7 +47,7 @@ class Tracker_Yara(AbstractModule): self.redis_logger.info(f"Module: {self.module_name} Launched") - def compute(self, item_id): + def compute(self, item_id, item_content=None): # refresh YARA list if self.last_refresh < Tracker.get_tracker_last_updated_by_type('yara'): self.rules = Tracker.reload_yara_rules() @@ -56,7 +56,11 @@ class Tracker_Yara(AbstractModule): print('Tracked set refreshed') self.item = Item(item_id) - item_content = self.item.get_content() + if not item_content: + item_content = self.item.get_content() + + + try: yara_match = self.rules.match(data=item_content, callback=self.yara_rules_match, which_callbacks=yara.CALLBACK_MATCHES, timeout=60) if yara_match: