mirror of https://github.com/MISP/misp-modules
fix: Making yara query an expansion module for single attributes atm
chrisr3d
parent
1d530a7fa6
commit
1c10fd5e50
|
|
@ -1,5 +1,5 @@
|
||||||
import json
|
import json
|
||||||
import sys
|
import re
|
||||||
|
|
||||||
misperrors = {'error': 'Error'}
|
misperrors = {'error': 'Error'}
|
||||||
moduleinfo = {'version': '1', 'author': 'Christian STUDER',
|
moduleinfo = {'version': '1', 'author': 'Christian STUDER',
|
||||||
|
|
@ -7,10 +7,10 @@ moduleinfo = {'version': '1', 'author': 'Christian STUDER',
|
||||||
'module-type': ['expansion', 'hover'],
|
'module-type': ['expansion', 'hover'],
|
||||||
'require_standard_format': True}
|
'require_standard_format': True}
|
||||||
moduleconfig = []
|
moduleconfig = []
|
||||||
mispattributes = {'input': ['md5', 'sha1', 'sha256', 'filename|md5', 'filename|sha1', 'filename|sha256'], 'output': ['yara rule']}
|
mispattributes = {'input': ['md5', 'sha1', 'sha256', 'filename|md5', 'filename|sha1', 'filename|sha256'], 'output': ['yara']}
|
||||||
|
|
||||||
def hash_cond(hashtype, hashvalue):
|
def get_hash_condition(hashtype, hashvalue):
|
||||||
condition = 'hash.{}(0, filesize) == {}'.format(hashtype, hashvalue.lower())
|
condition = 'hash.{}(0, filesize) == "{}"'.format(hashtype, hashvalue.lower())
|
||||||
return condition, 'hash'
|
return condition, 'hash'
|
||||||
|
|
||||||
def handler(q=False):
|
def handler(q=False):
|
||||||
|
|
@ -21,20 +21,16 @@ def handler(q=False):
|
||||||
if 'event_id' in request:
|
if 'event_id' in request:
|
||||||
del request['event_id']
|
del request['event_id']
|
||||||
uuid = request.pop('attribute_uuid') if 'attribute_uuid' in request else None
|
uuid = request.pop('attribute_uuid') if 'attribute_uuid' in request else None
|
||||||
rules = []
|
attribute_type, value = list(request.items())[0]
|
||||||
types = []
|
if 'filename' in attribute_type:
|
||||||
for attribute_type, value in request.items():
|
_, attribute_type = attribute_type.split('|')
|
||||||
if 'filename' in attribute_type:
|
_, value = value.split('|')
|
||||||
_, attribute_type = attribute_type.split('|')
|
condition, required_module = get_hash_condition(attribute_type, value)
|
||||||
_, value = value.split('|')
|
import_section = 'import "{}"'.format(required_module)
|
||||||
condition, required_module = hash_cond(attribute_type, value)
|
rule_start = 'import "hash" \r\nrule %s_%s {' % (attribute_type.upper(), re.sub(r'\W+', '_', uuid)) if uuid else 'import "hash"\r\nrule %s {' % attribute_type.upper()
|
||||||
condition = '\r\n\t\t'.join([condition])
|
condition = '\tcondition:\r\n\t\t{}'.format(condition)
|
||||||
import_section = '\r\n'.join(['import "{}"'.format(required_module)])
|
rule = '\r\n'.join([rule_start, condition, '}'])
|
||||||
rule_start = 'rule %s {' % uuid if uuid else 'rule {'
|
return {'results': [{'types': mispattributes['output'], 'values': [rule]}]}
|
||||||
condition = '\tcondition:\r\n\t\t{}'.format(condition)
|
|
||||||
rules.append('\r\n'.join([rule_start, condition, '}']))
|
|
||||||
types.append('yara')
|
|
||||||
return {'results': [{'types': [t], 'values': [v]} for t, v in zip(types, rules)]}
|
|
||||||
|
|
||||||
def introspection():
|
def introspection():
|
||||||
return mispattributes
|
return mispattributes
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue