From 299e97d1cec6d2c536d05dc41a3a05d2b1cebede Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Tue, 13 Nov 2018 15:40:47 +0100 Subject: [PATCH] add: Added imphash to input attribute types --- misp_modules/modules/expansion/yara_query.py | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/misp_modules/modules/expansion/yara_query.py b/misp_modules/modules/expansion/yara_query.py index 9b24c88..3b85bcb 100644 --- a/misp_modules/modules/expansion/yara_query.py +++ b/misp_modules/modules/expansion/yara_query.py @@ -11,11 +11,12 @@ moduleinfo = {'version': '1', 'author': 'Christian STUDER', 'module-type': ['expansion', 'hover'], 'require_standard_format': True} moduleconfig = [] -mispattributes = {'input': ['md5', 'sha1', 'sha256', 'filename|md5', 'filename|sha1', 'filename|sha256'], 'output': ['yara']} +mispattributes = {'input': ['md5', 'sha1', 'sha256', 'filename|md5', 'filename|sha1', 'filename|sha256', 'imphash'], 'output': ['yara']} def get_hash_condition(hashtype, hashvalue): - condition = 'hash.{}(0, filesize) == "{}"'.format(hashtype, hashvalue.lower()) - return condition, 'hash' + hashvalue = hashvalue.lower() + required_module, params = ('pe', '()') if hashtype == 'imphash' else ('hash', '(0, filesize)') + return '{}.{}{} == "{}"'.format(required_module, hashtype, params, hashvalue), required_module def handler(q=False): if q is False: @@ -31,7 +32,7 @@ def handler(q=False): _, value = value.split('|') condition, required_module = get_hash_condition(attribute_type, value) import_section = 'import "{}"'.format(required_module) - rule_start = 'import "hash" \r\nrule %s_%s {' % (attribute_type.upper(), re.sub(r'\W+', '_', uuid)) if uuid else 'import "hash"\r\nrule %s {' % attribute_type.upper() + rule_start = '%s\r\nrule %s_%s {' % (import_section, attribute_type.upper(), re.sub(r'\W+', '_', uuid)) if uuid else '%s\r\nrule %s {' % (import_section, attribute_type.upper()) condition = '\tcondition:\r\n\t\t{}'.format(condition) rule = '\r\n'.join([rule_start, condition, '}']) try: