mirror of https://github.com/MISP/MISP
70 lines
1.7 KiB
PHP
Executable File
70 lines
1.7 KiB
PHP
Executable File
<?php
|
|
|
|
class HidsMd5ExportComponent extends Component {
|
|
|
|
public $rules = array();
|
|
|
|
|
|
function explain() {
|
|
// unshift add in reverse order
|
|
array_unshift($this->rules, '# ');
|
|
array_unshift($this->rules, '# Keep in mind MD5 is not collision resistant');
|
|
array_unshift($this->rules, '# These HIDS export contains MD5 checksums.');
|
|
}
|
|
|
|
function suricataRules($items) {
|
|
|
|
$itemsDone = array();
|
|
foreach ($items as &$item) {
|
|
|
|
|
|
# md5
|
|
$rule_format = '%s';
|
|
|
|
$attribute = &$item['Attribute'];
|
|
|
|
switch ($attribute['type']) {
|
|
case 'md5':
|
|
if (!in_array ($attribute['value1'], $itemsDone)) {
|
|
$this->checksumRule($rule_format, $attribute);
|
|
$itemsDone[] = $attribute['value1'];
|
|
}
|
|
break;
|
|
case 'filename|md5':
|
|
case 'malware-sample':
|
|
if (!in_array ($attribute['value2'], $itemsDone)) {
|
|
$this->partRule($rule_format, $attribute);
|
|
$itemsDone[] = $attribute['value2'];
|
|
}
|
|
break;
|
|
default:
|
|
break;
|
|
|
|
|
|
}
|
|
|
|
}
|
|
|
|
sort($this->rules);
|
|
$this->explain();
|
|
|
|
return $this->rules;
|
|
|
|
|
|
}
|
|
|
|
function checksumRule($rule_format, $attribute) {
|
|
$this->rules[] = sprintf($rule_format,
|
|
$attribute['value1'] // md5
|
|
);
|
|
|
|
}
|
|
|
|
function partRule($rule_format, $attribute) {
|
|
$this->rules[] = sprintf($rule_format,
|
|
$attribute['value2'] // md5
|
|
);
|
|
}
|
|
|
|
}
|