From be5635b0a4e5bb306bb596681180d0b96a751c26 Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Fri, 15 Oct 2021 17:18:29 +0200 Subject: [PATCH] fix: [yara_query] Fixed module input parsing - The module used to work properly when called from a single attribute enrichment, but was broken when called from the hover enrichment feature, because of the additional `persistent` field used to define which type of hover enrichment is queried --- misp_modules/modules/expansion/yara_query.py | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/misp_modules/modules/expansion/yara_query.py b/misp_modules/modules/expansion/yara_query.py index 3a75acc..e905de5 100644 --- a/misp_modules/modules/expansion/yara_query.py +++ b/misp_modules/modules/expansion/yara_query.py @@ -14,6 +14,12 @@ moduleconfig = [] mispattributes = {'input': ['md5', 'sha1', 'sha256', 'filename|md5', 'filename|sha1', 'filename|sha256', 'imphash'], 'output': ['yara']} +def extract_input_attribute(request): + for input_type in mispattributes['input']: + if input_type in request: + return input_type, request[input_type] + + def get_hash_condition(hashtype, hashvalue): hashvalue = hashvalue.lower() required_module, params = ('pe', '()') if hashtype == 'imphash' else ('hash', '(0, filesize)') @@ -24,11 +30,11 @@ def handler(q=False): if q is False: return False request = json.loads(q) - del request['module'] - if 'event_id' in request: - del request['event_id'] + attribute = extract_input_attribute(request) + if attribute is None: + return {'error': f'Wrong input type, please choose in the following: {", ".join(mispattributes["input"])}'} uuid = request.pop('attribute_uuid') if 'attribute_uuid' in request else None - attribute_type, value = list(request.items())[0] + attribute_type, value = attribute if 'filename' in attribute_type: _, attribute_type = attribute_type.split('|') _, value = value.split('|')