mirror of https://github.com/CIRCL/AIL-framework
166 lines
5.4 KiB
Python
Executable File
166 lines
5.4 KiB
Python
Executable File
#!/usr/bin/env python3
|
|
# -*-coding:UTF-8 -*
|
|
"""
|
|
The Retro_Hunt trackers module
|
|
===================
|
|
|
|
"""
|
|
|
|
##################################
|
|
# Import External packages
|
|
##################################
|
|
import os
|
|
import sys
|
|
import time
|
|
import yara
|
|
|
|
sys.path.append(os.environ['AIL_BIN'])
|
|
##################################
|
|
# Import Project packages
|
|
##################################
|
|
from modules.abstract_module import AbstractModule
|
|
from lib.ail_core import get_objects_retro_hunted
|
|
from lib.ConfigLoader import ConfigLoader
|
|
from lib.objects import ail_objects
|
|
from lib import Tracker
|
|
|
|
class Retro_Hunt_Module(AbstractModule):
|
|
|
|
"""
|
|
Retro_Hunt module for AIL framework
|
|
"""
|
|
def __init__(self):
|
|
super(Retro_Hunt_Module, self).__init__()
|
|
config_loader = ConfigLoader()
|
|
self.pending_seconds = 5
|
|
|
|
# reset on each loop
|
|
self.retro_hunt = None
|
|
self.nb_objs = 0
|
|
self.nb_done = 0
|
|
self.progress = 0
|
|
self.obj = None
|
|
self.tags = []
|
|
|
|
self.redis_logger.info(f"Module: {self.module_name} Launched")
|
|
|
|
# # TODO: # start_time
|
|
# # end_time
|
|
def compute(self, task_uuid):
|
|
self.redis_logger.warning(f'{self.module_name}, starting Retro hunt task {task_uuid}')
|
|
print(f'starting Retro hunt task {task_uuid}')
|
|
self.progress = 0
|
|
# First launch
|
|
# restart
|
|
self.retro_hunt = Tracker.RetroHunt(task_uuid)
|
|
|
|
rule = self.retro_hunt.get_rule(r_compile=True)
|
|
timeout = self.retro_hunt.get_timeout()
|
|
self.tags = self.retro_hunt.get_tags()
|
|
|
|
self.redis_logger.debug(f'{self.module_name}, Retro Hunt rule {task_uuid} timeout {timeout}')
|
|
|
|
# Filters
|
|
filters = self.retro_hunt.get_filters()
|
|
if not filters:
|
|
filters = {}
|
|
for obj_type in get_objects_retro_hunted():
|
|
filters[obj_type] = {}
|
|
|
|
self.nb_objs = ail_objects.card_objs_iterators(filters)
|
|
|
|
# Resume
|
|
last_obj = self.retro_hunt.get_last_analyzed()
|
|
if last_obj:
|
|
last_obj_type, last_obj_subtype, last_obj_id = last_obj.split(':', 2)
|
|
else:
|
|
last_obj_type = None
|
|
last_obj_subtype = None
|
|
last_obj_id = None
|
|
|
|
self.nb_done = 0
|
|
self.update_progress()
|
|
|
|
for obj_type in filters:
|
|
if last_obj_type:
|
|
filters['start'] = f'{last_obj_subtype}:{last_obj_id}'
|
|
last_obj_type = None
|
|
for obj in ail_objects.obj_iterator(obj_type, filters):
|
|
self.obj = obj
|
|
content = obj.get_content(r_type='bytes')
|
|
rule.match(data=content, callback=self.yara_rules_match,
|
|
which_callbacks=yara.CALLBACK_MATCHES, timeout=timeout)
|
|
|
|
self.nb_done += 1
|
|
if self.nb_done % 10 == 0:
|
|
self.retro_hunt.set_last_analyzed(obj.get_type(), obj.get_subtype(r_str=True), obj.get_id())
|
|
self.retro_hunt.set_last_analyzed_cache(obj.get_type(), obj.get_subtype(r_str=True), obj.get_id())
|
|
|
|
# update progress
|
|
self.update_progress()
|
|
|
|
# PAUSE
|
|
if self.retro_hunt.to_pause():
|
|
self.retro_hunt.set_last_analyzed(obj.get_type(), obj.get_subtype(r_str=True), obj.get_id())
|
|
self.retro_hunt.pause()
|
|
return None
|
|
|
|
# Completed
|
|
self.retro_hunt.complete()
|
|
print(f'Retro Hunt {task_uuid} completed')
|
|
self.redis_logger.warning(f'{self.module_name}, Retro Hunt {task_uuid} completed')
|
|
|
|
def update_progress(self):
|
|
new_progress = self.nb_done * 100 / self.nb_objs
|
|
if int(self.progress) != int(new_progress):
|
|
print(new_progress)
|
|
self.retro_hunt.set_progress(new_progress)
|
|
self.progress = new_progress
|
|
|
|
def yara_rules_match(self, data):
|
|
obj_id = self.obj.get_id()
|
|
# print(data)
|
|
task_uuid = data['namespace']
|
|
|
|
self.redis_logger.info(f'{self.module_name}, Retro hunt {task_uuid} match found: {obj_id}')
|
|
print(f'Retro hunt {task_uuid} match found: {self.obj.get_type()} {obj_id}')
|
|
|
|
self.retro_hunt.add(self.obj.get_type(), self.obj.get_subtype(), obj_id)
|
|
|
|
# TODO FILTER Tags
|
|
# Tags
|
|
for tag in self.tags:
|
|
msg = f'{tag};{id}'
|
|
self.add_message_to_queue(msg, 'Tags')
|
|
|
|
# # Mails
|
|
# EXPORTER MAILS
|
|
return yara.CALLBACK_CONTINUE
|
|
|
|
def run(self):
|
|
"""
|
|
Run Module endless process
|
|
"""
|
|
|
|
# Endless loop processing messages from the input queue
|
|
while self.proceed:
|
|
task_uuid = Tracker.get_retro_hunt_task_to_start()
|
|
if task_uuid:
|
|
# Module processing with the message from the queue
|
|
self.redis_logger.debug(task_uuid)
|
|
# try:
|
|
self.compute(task_uuid)
|
|
# except Exception as err:
|
|
# self.redis_logger.error(f'Error in module {self.module_name}: {err}')
|
|
# # Remove uuid ref
|
|
# self.remove_submit_uuid(uuid)
|
|
else:
|
|
# Wait before next process
|
|
self.redis_logger.debug(f'{self.module_name}, waiting for new message, Idling {self.pending_seconds}s')
|
|
time.sleep(self.pending_seconds)
|
|
|
|
|
|
if __name__ == '__main__':
|
|
module = Retro_Hunt_Module()
|
|
module.run()
|