mirror of https://github.com/MISP/misp-modules
Bugfix for "sources" ; do not include as IDS for "access" registry keys
- Bugfix to query "operations" in files, mutex, registry - Do not set IDS flag for registry 'access' operationspull/300/head
parent
559ed786ba
commit
1cd60790fd
|
@ -127,9 +127,14 @@ def handler(q=False):
|
||||||
misperrors['error'] = "No vti_results returned or jobs not finished"
|
misperrors['error'] = "No vti_results returned or jobs not finished"
|
||||||
return misperrors
|
return misperrors
|
||||||
else:
|
else:
|
||||||
|
if "result" in data:
|
||||||
|
if data["result"] == "ok":
|
||||||
|
return vmray_results
|
||||||
|
|
||||||
|
# Fallback
|
||||||
misperrors['error'] = "Unable to fetch sample id %u" % (sample_id)
|
misperrors['error'] = "Unable to fetch sample id %u" % (sample_id)
|
||||||
return misperrors
|
return misperrors
|
||||||
except Exception as e: # noqa
|
except Exception as e: # noqa
|
||||||
misperrors['error'] = "Unable to access VMRay API : %s" % (e)
|
misperrors['error'] = "Unable to access VMRay API : %s" % (e)
|
||||||
return misperrors
|
return misperrors
|
||||||
else:
|
else:
|
||||||
|
@ -173,7 +178,7 @@ def vmrayDownloadAnalysis(api, analysis_id):
|
||||||
try:
|
try:
|
||||||
data = api.call("GET", "/rest/analysis/%u/archive/logs/summary.json" % (analysis_id), raw_data=True)
|
data = api.call("GET", "/rest/analysis/%u/archive/logs/summary.json" % (analysis_id), raw_data=True)
|
||||||
return json.loads(data.read().decode())
|
return json.loads(data.read().decode())
|
||||||
except Exception as e: # noqa
|
except Exception as e: # noqa
|
||||||
misperrors['error'] = "Unable to download summary.json for analysis %s" % (analysis_id)
|
misperrors['error'] = "Unable to download summary.json for analysis %s" % (analysis_id)
|
||||||
return misperrors
|
return misperrors
|
||||||
else:
|
else:
|
||||||
|
@ -337,7 +342,7 @@ def vmrayArtifacts(patterns):
|
||||||
for el in patterns[pattern]:
|
for el in patterns[pattern]:
|
||||||
values = el["mutex_name"]
|
values = el["mutex_name"]
|
||||||
types = ["mutex"]
|
types = ["mutex"]
|
||||||
if "sources" in el:
|
if "operations" in el:
|
||||||
sources = el["operations"]
|
sources = el["operations"]
|
||||||
comment = "Operations: " + ", ".join(str(x) for x in sources)
|
comment = "Operations: " + ", ".join(str(x) for x in sources)
|
||||||
else:
|
else:
|
||||||
|
@ -348,18 +353,21 @@ def vmrayArtifacts(patterns):
|
||||||
for el in patterns[pattern]:
|
for el in patterns[pattern]:
|
||||||
values = el["reg_key_name"]
|
values = el["reg_key_name"]
|
||||||
types = ["regkey"]
|
types = ["regkey"]
|
||||||
if "sources" in el:
|
include_static_to_ids_tmp = include_static_to_ids
|
||||||
|
if "operations" in el:
|
||||||
sources = el["operations"]
|
sources = el["operations"]
|
||||||
|
if sources == ["access"]:
|
||||||
|
include_static_to_ids_tmp = False
|
||||||
comment = "Operations: " + ", ".join(str(x) for x in sources)
|
comment = "Operations: " + ", ".join(str(x) for x in sources)
|
||||||
else:
|
else:
|
||||||
comment = ""
|
comment = ""
|
||||||
|
|
||||||
r['results'].append({'types': types, 'values': values, 'comment': comment, 'to_ids': include_static_to_ids})
|
r['results'].append({'types': types, 'values': values, 'comment': comment, 'to_ids': include_static_to_ids_tmp})
|
||||||
if pattern == "urls":
|
if pattern == "urls":
|
||||||
for el in patterns[pattern]:
|
for el in patterns[pattern]:
|
||||||
values = el["url"]
|
values = el["url"]
|
||||||
types = ["url"]
|
types = ["url"]
|
||||||
if "sources" in el:
|
if "operations" in el:
|
||||||
sources = el["operations"]
|
sources = el["operations"]
|
||||||
comment = "Operations: " + ", ".join(str(x) for x in sources)
|
comment = "Operations: " + ", ".join(str(x) for x in sources)
|
||||||
else:
|
else:
|
||||||
|
|
Loading…
Reference in New Issue