MISP
/
misp-modules
mirror of https://github.com/MISP/misp-modules
2
0
Fork 0
Code Issues Releases Wiki Activity

new: First version of a yara rule creation expansion module

pull/245/head
chrisr3d 2018-10-18 14:44:57 +02:00
parent 35edeac9e3
commit 1d530a7fa6
No known key found for this signature in database
GPG Key ID: 6BBED1B63A6D639F
2 changed files with 45 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
misp_modules/modules/expansion/__init__.py
View File

@ -1,3 +1,3 @@
from . import _vmray
__all__ = ['vmray_submit', 'asn_history', 'circl_passivedns', 'circl_passivessl', 'countrycode', 'cve', 'dns', 'domaintools', 'eupi', 'farsight_passivedns', 'ipasn', 'passivetotal', 'sourcecache', 'virustotal', 'whois', 'shodan', 'reversedns', 'geoip_country', 'wiki', 'iprep', 'threatminer', 'otx', 'threatcrowd', 'vulndb', 'crowdstrike_falcon', 'yara_syntax_validator', 'hashdd', 'onyphe', 'onyphe_full', 'rbl', 'xforceexchange', 'sigma_syntax_validator', 'stix2_pattern_syntax_validator', 'sigma_queries', 'dbl_spamhaus', 'vulners']
__all__ = ['vmray_submit', 'asn_history', 'circl_passivedns', 'circl_passivessl', 'countrycode', 'cve', 'dns', 'domaintools', 'eupi', 'farsight_passivedns', 'ipasn', 'passivetotal', 'sourcecache', 'virustotal', 'whois', 'shodan', 'reversedns', 'geoip_country', 'wiki', 'iprep', 'threatminer', 'otx', 'threatcrowd', 'vulndb', 'crowdstrike_falcon', 'yara_syntax_validator', 'hashdd', 'onyphe', 'onyphe_full', 'rbl', 'xforceexchange', 'sigma_syntax_validator', 'stix2_pattern_syntax_validator', 'sigma_queries', 'dbl_spamhaus', 'vulners', 'yara_query']

44
misp_modules/modules/expansion/yara_query.py Normal file
View File

@ -0,0 +1,44 @@
import json
import sys
misperrors = {'error': 'Error'}
moduleinfo = {'version': '1', 'author': 'Christian STUDER',
'description': 'Yara export for hashes.',
'module-type': ['expansion', 'hover'],
'require_standard_format': True}
moduleconfig = []
mispattributes = {'input': ['md5', 'sha1', 'sha256', 'filename|md5', 'filename|sha1', 'filename|sha256'], 'output': ['yara rule']}
def hash_cond(hashtype, hashvalue):
condition = 'hash.{}(0, filesize) == {}'.format(hashtype, hashvalue.lower())
return condition, 'hash'
def handler(q=False):
if q is False:
return False
request = json.loads(q)
del request['module']
if 'event_id' in request:
del request['event_id']
uuid = request.pop('attribute_uuid') if 'attribute_uuid' in request else None
rules = []
types = []
for attribute_type, value in request.items():
if 'filename' in attribute_type:
_, attribute_type = attribute_type.split('|')
_, value = value.split('|')
condition, required_module = hash_cond(attribute_type, value)
condition = '\r\n\t\t'.join([condition])
import_section = '\r\n'.join(['import "{}"'.format(required_module)])
rule_start = 'rule %s {' % uuid if uuid else 'rule {'
condition = '\tcondition:\r\n\t\t{}'.format(condition)
rules.append('\r\n'.join([rule_start, condition, '}']))
types.append('yara')
return {'results': [{'types': [t], 'values': [v]} for t, v in zip(types, rules)]}
def introspection():
return mispattributes
def version():
moduleinfo['config'] = moduleconfig
return moduleinfo