misp-modules/misp_modules/modules/expansion/yara_query.py

import json
import re
try:
    import yara
except (OSError, ImportError):
    print("yara is missing, use 'pip3 install -I -r REQUIREMENTS' from the root of this repository to install it.")

misperrors = {'error': 'Error'}
moduleinfo = {
    'version': '1',
    'author': 'Christian STUDER',
    'description': 'jj',
    'module-type': ['expansion', 'hover'],
    'name': 'YARA Rule Generator',
    'require_standard_format': True,
    'logo': 'yara.png',
    'requirements': ['yara-python python library'],
    'features': "The module takes a hash attribute (md5, sha1, sha256, imphash) as input, and is returning a YARA rule from it. This YARA rule is also validated using the same method as in 'yara_syntax_validator' module.\nBoth hover and expansion functionalities are supported with this module, where the hover part is displaying the resulting YARA rule and the expansion part allows you to add the rule as a new attribute, as usual with expansion modules.",
    'references': ['https://virustotal.github.io/yara/', 'https://github.com/virustotal/yara-python'],
    'input': 'MISP Hash attribute (md5, sha1, sha256, imphash, or any of the composite attribute with filename and one of the previous hash type).',
    'output': 'YARA rule.',
}
moduleconfig = []
mispattributes = {'input': ['md5', 'sha1', 'sha256', 'filename|md5', 'filename|sha1', 'filename|sha256', 'imphash'], 'output': ['yara']}


def extract_input_attribute(request):
    for input_type in mispattributes['input']:
        if input_type in request:
            return input_type, request[input_type]


def get_hash_condition(hashtype, hashvalue):
    hashvalue = hashvalue.lower()
    required_module, params = ('pe', '()') if hashtype == 'imphash' else ('hash', '(0, filesize)')
    return '{}.{}{} == "{}"'.format(required_module, hashtype, params, hashvalue), required_module


def handler(q=False):
    if q is False:
        return False
    request = json.loads(q)
    attribute = extract_input_attribute(request)
    if attribute is None:
        return {'error': f'Wrong input type, please choose in the following: {", ".join(mispattributes["input"])}'}
    uuid = request.pop('attribute_uuid') if 'attribute_uuid' in request else None
    attribute_type, value = attribute
    if 'filename' in attribute_type:
        _, attribute_type = attribute_type.split('|')
        _, value = value.split('|')
    condition, required_module = get_hash_condition(attribute_type, value)
    import_section = 'import "{}"'.format(required_module)
    rule_start = '%s\r\nrule %s_%s {' % (import_section, attribute_type.upper(), re.sub(r'\W+', '_', uuid)) if uuid else '%s\r\nrule %s {' % (import_section, attribute_type.upper())
    condition = '\tcondition:\r\n\t\t{}'.format(condition)
    rule = '\r\n'.join([rule_start, condition, '}'])
    try:
        yara.compile(source=rule)
    except Exception as e:
        misperrors['error'] = 'Syntax error: {}'.format(e)
        return misperrors
    return {'results': [{'types': mispattributes['output'], 'values': rule}]}


def introspection():
    return mispattributes


def version():
    moduleinfo['config'] = moduleconfig
    return moduleinfo
new: First version of a yara rule creation expansion module 2018-10-18 14:44:57 +02:00			`import json`
fix: Making yara query an expansion module for single attributes atm 2018-10-31 10:21:21 +01:00			`import re`
chg: Validating yara rules after their creation 2018-11-02 21:35:02 +01:00			`try:`
			`import yara`
			`except (OSError, ImportError):`
fix: Updated yara import error message - Better to 'pip install -I -r REQUIREMENTS' to have the correct yara-python version working for all the modules, than having another one failing with yara hash & pe modules 2018-11-12 16:22:14 +01:00			`print("yara is missing, use 'pip3 install -I -r REQUIREMENTS' from the root of this repository to install it.")`
new: First version of a yara rule creation expansion module 2018-10-18 14:44:57 +02:00
			`misperrors = {'error': 'Error'}`
chg: [doc] Big doc revamp #680 2024-08-12 11:23:10 +02:00			`moduleinfo = {`
			`'version': '1',`
			`'author': 'Christian STUDER',`
			`'description': 'jj',`
			`'module-type': ['expansion', 'hover'],`
			`'name': 'YARA Rule Generator',`
			`'require_standard_format': True,`
			`'logo': 'yara.png',`
			`'requirements': ['yara-python python library'],`
			`'features': "The module takes a hash attribute (md5, sha1, sha256, imphash) as input, and is returning a YARA rule from it. This YARA rule is also validated using the same method as in 'yara_syntax_validator' module.\nBoth hover and expansion functionalities are supported with this module, where the hover part is displaying the resulting YARA rule and the expansion part allows you to add the rule as a new attribute, as usual with expansion modules.",`
			`'references': ['https://virustotal.github.io/yara/', 'https://github.com/virustotal/yara-python'],`
			`'input': 'MISP Hash attribute (md5, sha1, sha256, imphash, or any of the composite attribute with filename and one of the previous hash type).',`
			`'output': 'YARA rule.',`
			`}`
new: First version of a yara rule creation expansion module 2018-10-18 14:44:57 +02:00			`moduleconfig = []`
add: Added imphash to input attribute types 2018-11-13 15:40:47 +01:00			`mispattributes = {'input': ['md5', 'sha1', 'sha256', 'filename\|md5', 'filename\|sha1', 'filename\|sha256', 'imphash'], 'output': ['yara']}`
new: First version of a yara rule creation expansion module 2018-10-18 14:44:57 +02:00
fix: Make pep8 happy 2018-12-11 15:29:09 +01:00
fix: [yara_query] Fixed module input parsing - The module used to work properly when called from a single attribute enrichment, but was broken when called from the hover enrichment feature, because of the additional `persistent` field used to define which type of hover enrichment is queried 2021-10-15 17:18:29 +02:00			`def extract_input_attribute(request):`
			`for input_type in mispattributes['input']:`
			`if input_type in request:`
			`return input_type, request[input_type]`


fix: Making yara query an expansion module for single attributes atm 2018-10-31 10:21:21 +01:00			`def get_hash_condition(hashtype, hashvalue):`
add: Added imphash to input attribute types 2018-11-13 15:40:47 +01:00			`hashvalue = hashvalue.lower()`
			`required_module, params = ('pe', '()') if hashtype == 'imphash' else ('hash', '(0, filesize)')`
			`return '{}.{}{} == "{}"'.format(required_module, hashtype, params, hashvalue), required_module`
new: First version of a yara rule creation expansion module 2018-10-18 14:44:57 +02:00
fix: Make pep8 happy 2018-12-11 15:29:09 +01:00
new: First version of a yara rule creation expansion module 2018-10-18 14:44:57 +02:00			`def handler(q=False):`
			`if q is False:`
			`return False`
			`request = json.loads(q)`
fix: [yara_query] Fixed module input parsing - The module used to work properly when called from a single attribute enrichment, but was broken when called from the hover enrichment feature, because of the additional `persistent` field used to define which type of hover enrichment is queried 2021-10-15 17:18:29 +02:00			`attribute = extract_input_attribute(request)`
			`if attribute is None:`
			`return {'error': f'Wrong input type, please choose in the following: {", ".join(mispattributes["input"])}'}`
new: First version of a yara rule creation expansion module 2018-10-18 14:44:57 +02:00			`uuid = request.pop('attribute_uuid') if 'attribute_uuid' in request else None`
fix: [yara_query] Fixed module input parsing - The module used to work properly when called from a single attribute enrichment, but was broken when called from the hover enrichment feature, because of the additional `persistent` field used to define which type of hover enrichment is queried 2021-10-15 17:18:29 +02:00			`attribute_type, value = attribute`
fix: Making yara query an expansion module for single attributes atm 2018-10-31 10:21:21 +01:00			`if 'filename' in attribute_type:`
			`_, attribute_type = attribute_type.split('\|')`
			`_, value = value.split('\|')`
			`condition, required_module = get_hash_condition(attribute_type, value)`
			`import_section = 'import "{}"'.format(required_module)`
add: Added imphash to input attribute types 2018-11-13 15:40:47 +01:00			`rule_start = '%s\r\nrule %s_%s {' % (import_section, attribute_type.upper(), re.sub(r'\W+', '_', uuid)) if uuid else '%s\r\nrule %s {' % (import_section, attribute_type.upper())`
fix: Making yara query an expansion module for single attributes atm 2018-10-31 10:21:21 +01:00			`condition = '\tcondition:\r\n\t\t{}'.format(condition)`
			`rule = '\r\n'.join([rule_start, condition, '}'])`
chg: Validating yara rules after their creation 2018-11-02 21:35:02 +01:00			`try:`
			`yara.compile(source=rule)`
			`except Exception as e:`
			`misperrors['error'] = 'Syntax error: {}'.format(e)`
			`return misperrors`
			`return {'results': [{'types': mispattributes['output'], 'values': rule}]}`
new: First version of a yara rule creation expansion module 2018-10-18 14:44:57 +02:00
fix: Make pep8 happy 2018-12-11 15:29:09 +01:00
new: First version of a yara rule creation expansion module 2018-10-18 14:44:57 +02:00			`def introspection():`
			`return mispattributes`

fix: Make pep8 happy 2018-12-11 15:29:09 +01:00
new: First version of a yara rule creation expansion module 2018-10-18 14:44:57 +02:00			`def version():`
			`moduleinfo['config'] = moduleconfig`
			`return moduleinfo`