MISP
/
misp-modules
mirror of https://github.com/MISP/misp-modules
2
0
Fork 0
Code Issues Releases Wiki Activity

add: Added imphash to input attribute types

pull/266/head
chrisr3d 2018-11-13 15:40:47 +01:00
parent f62ca53e90
commit 299e97d1ce
No known key found for this signature in database
GPG Key ID: 6BBED1B63A6D639F
1 changed files with 5 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
misp_modules/modules/expansion/yara_query.py
View File

@ -11,11 +11,12 @@ moduleinfo = {'version': '1', 'author': 'Christian STUDER',
'module-type': ['expansion', 'hover'],
'require_standard_format': True}
moduleconfig = []
mispattributes = {'input': ['md5', 'sha1', 'sha256', 'filename|md5', 'filename|sha1', 'filename|sha256'], 'output': ['yara']}
mispattributes = {'input': ['md5', 'sha1', 'sha256', 'filename|md5', 'filename|sha1', 'filename|sha256', 'imphash'], 'output': ['yara']}
def get_hash_condition(hashtype, hashvalue):
condition = 'hash.{}(0, filesize) == "{}"'.format(hashtype, hashvalue.lower())
return condition, 'hash'
hashvalue = hashvalue.lower()
required_module, params = ('pe', '()') if hashtype == 'imphash' else ('hash', '(0, filesize)')
return '{}.{}{} == "{}"'.format(required_module, hashtype, params, hashvalue), required_module
def handler(q=False):
if q is False:
@ -31,7 +32,7 @@ def handler(q=False):
_, value = value.split('|')
condition, required_module = get_hash_condition(attribute_type, value)
import_section = 'import "{}"'.format(required_module)
rule_start = 'import "hash" \r\nrule %s_%s {' % (attribute_type.upper(), re.sub(r'\W+', '_', uuid)) if uuid else 'import "hash"\r\nrule %s {' % attribute_type.upper()
rule_start = '%s\r\nrule %s_%s {' % (import_section, attribute_type.upper(), re.sub(r'\W+', '_', uuid)) if uuid else '%s\r\nrule %s {' % (import_section, attribute_type.upper())
condition = '\tcondition:\r\n\t\t{}'.format(condition)
rule = '\r\n'.join([rule_start, condition, '}'])
try: