mirror of https://github.com/CIRCL/AIL-framework
chg: [pgpdump] check trackers on extracted metadata
parent
1372b1ef68
commit
f8f785970f
|
@ -24,6 +24,10 @@ from packages import Paste
|
||||||
|
|
||||||
from packages import Pgp
|
from packages import Pgp
|
||||||
|
|
||||||
|
from trackers.Tracker_Term import Tracker_Term
|
||||||
|
from trackers.Tracker_Regex import Tracker_Regex
|
||||||
|
from trackers.Tracker_Yara import Tracker_Yara
|
||||||
|
|
||||||
class TimeoutException(Exception):
|
class TimeoutException(Exception):
|
||||||
pass
|
pass
|
||||||
|
|
||||||
|
@ -152,6 +156,10 @@ if __name__ == '__main__':
|
||||||
#config_section = 'PgpDump'
|
#config_section = 'PgpDump'
|
||||||
config_section = 'PgpDump'
|
config_section = 'PgpDump'
|
||||||
|
|
||||||
|
tracker_module_term = Tracker_Term()
|
||||||
|
tracker_module_regex = Tracker_Regex()
|
||||||
|
tracker_module_yara = Tracker_Yara()
|
||||||
|
|
||||||
# Setup the I/O queues
|
# Setup the I/O queues
|
||||||
p = Process(config_section)
|
p = Process(config_section)
|
||||||
|
|
||||||
|
@ -245,7 +253,13 @@ if __name__ == '__main__':
|
||||||
for name_id in set_name:
|
for name_id in set_name:
|
||||||
print(name_id)
|
print(name_id)
|
||||||
Pgp.pgp.save_item_correlation('name', name_id, message, item_date)
|
Pgp.pgp.save_item_correlation('name', name_id, message, item_date)
|
||||||
|
tracker_module_term.compute(message, item_content=name_id)
|
||||||
|
tracker_module_regex.compute(message, item_content=name_id)
|
||||||
|
tracker_module_yara.compute(message, item_content=name_id)
|
||||||
|
|
||||||
for mail_id in set_mail:
|
for mail_id in set_mail:
|
||||||
print(mail_id)
|
print(mail_id)
|
||||||
Pgp.pgp.save_item_correlation('mail', mail_id, message, item_date)
|
Pgp.pgp.save_item_correlation('mail', mail_id, message, item_date)
|
||||||
|
tracker_module_term.compute(message, item_content=name_id)
|
||||||
|
tracker_module_regex.compute(message, item_content=name_id)
|
||||||
|
tracker_module_yara.compute(message, item_content=name_id)
|
||||||
|
|
|
@ -50,7 +50,7 @@ class Tracker_Regex(AbstractModule):
|
||||||
|
|
||||||
self.redis_logger.info(f"Module: {self.module_name} Launched")
|
self.redis_logger.info(f"Module: {self.module_name} Launched")
|
||||||
|
|
||||||
def compute(self, item_id):
|
def compute(self, item_id, item_content=None):
|
||||||
# refresh Tracked regex
|
# refresh Tracked regex
|
||||||
if self.last_refresh < Tracker.get_tracker_last_updated_by_type('regex'):
|
if self.last_refresh < Tracker.get_tracker_last_updated_by_type('regex'):
|
||||||
self.dict_regex_tracked = Term.get_regex_tracked_words_dict()
|
self.dict_regex_tracked = Term.get_regex_tracked_words_dict()
|
||||||
|
@ -60,7 +60,8 @@ class Tracker_Regex(AbstractModule):
|
||||||
|
|
||||||
item = Item(item_id)
|
item = Item(item_id)
|
||||||
item_id = item.get_id()
|
item_id = item.get_id()
|
||||||
item_content = item.get_content()
|
if not item_content:
|
||||||
|
item_content = item.get_content()
|
||||||
|
|
||||||
for regex in self.dict_regex_tracked:
|
for regex in self.dict_regex_tracked:
|
||||||
matched = regex_helper.regex_search(self.module_name, self.redis_cache_key, self.dict_regex_tracked[regex], item_id, item_content, max_time=self.max_execution_time)
|
matched = regex_helper.regex_search(self.module_name, self.redis_cache_key, self.dict_regex_tracked[regex], item_id, item_content, max_time=self.max_execution_time)
|
||||||
|
|
|
@ -61,7 +61,7 @@ class Tracker_Term(AbstractModule):
|
||||||
|
|
||||||
self.redis_logger.info(f"Module: {self.module_name} Launched")
|
self.redis_logger.info(f"Module: {self.module_name} Launched")
|
||||||
|
|
||||||
def compute(self, item_id):
|
def compute(self, item_id, item_content=None):
|
||||||
# refresh Tracked term
|
# refresh Tracked term
|
||||||
if self.last_refresh_word < Term.get_tracked_term_last_updated_by_type('word'):
|
if self.last_refresh_word < Term.get_tracked_term_last_updated_by_type('word'):
|
||||||
self.list_tracked_words = Term.get_tracked_words_list()
|
self.list_tracked_words = Term.get_tracked_words_list()
|
||||||
|
@ -78,7 +78,8 @@ class Tracker_Term(AbstractModule):
|
||||||
# Cast message as Item
|
# Cast message as Item
|
||||||
item = Item(item_id)
|
item = Item(item_id)
|
||||||
item_date = item.get_date()
|
item_date = item.get_date()
|
||||||
item_content = item.get_content()
|
if not item_content:
|
||||||
|
item_content = item.get_content()
|
||||||
|
|
||||||
signal.alarm(self.max_execution_time)
|
signal.alarm(self.max_execution_time)
|
||||||
|
|
||||||
|
|
|
@ -47,7 +47,7 @@ class Tracker_Yara(AbstractModule):
|
||||||
self.redis_logger.info(f"Module: {self.module_name} Launched")
|
self.redis_logger.info(f"Module: {self.module_name} Launched")
|
||||||
|
|
||||||
|
|
||||||
def compute(self, item_id):
|
def compute(self, item_id, item_content=None):
|
||||||
# refresh YARA list
|
# refresh YARA list
|
||||||
if self.last_refresh < Tracker.get_tracker_last_updated_by_type('yara'):
|
if self.last_refresh < Tracker.get_tracker_last_updated_by_type('yara'):
|
||||||
self.rules = Tracker.reload_yara_rules()
|
self.rules = Tracker.reload_yara_rules()
|
||||||
|
@ -56,7 +56,11 @@ class Tracker_Yara(AbstractModule):
|
||||||
print('Tracked set refreshed')
|
print('Tracked set refreshed')
|
||||||
|
|
||||||
self.item = Item(item_id)
|
self.item = Item(item_id)
|
||||||
item_content = self.item.get_content()
|
if not item_content:
|
||||||
|
item_content = self.item.get_content()
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
try:
|
try:
|
||||||
yara_match = self.rules.match(data=item_content, callback=self.yara_rules_match, which_callbacks=yara.CALLBACK_MATCHES, timeout=60)
|
yara_match = self.rules.match(data=item_content, callback=self.yara_rules_match, which_callbacks=yara.CALLBACK_MATCHES, timeout=60)
|
||||||
if yara_match:
|
if yara_match:
|
||||||
|
|
Loading…
Reference in New Issue