MISP
/
misp-modules
mirror of https://github.com/MISP/misp-modules
2
0
Fork 0
Code Issues Releases Wiki Activity

fix: [yara_query] Fixed module input parsing 

- The module used to work properly when called
  from a single attribute enrichment, but was
  broken when called from the hover enrichment
  feature, because of the additional `persistent`
  field used to define which type of hover
  enrichment is queried
pull/526/head v2.4.150
chrisr3d 2021-10-15 17:18:29 +02:00
parent 4162ccb528
commit be5635b0a4
No known key found for this signature in database
GPG Key ID: 6BBED1B63A6D639F
1 changed files with 10 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
misp_modules/modules/expansion/yara_query.py
View File

@ -14,6 +14,12 @@ moduleconfig = []
mispattributes = {'input': ['md5', 'sha1', 'sha256', 'filename|md5', 'filename|sha1', 'filename|sha256', 'imphash'], 'output': ['yara']} mispattributes = {'input': ['md5', 'sha1', 'sha256', 'filename|md5', 'filename|sha1', 'filename|sha256', 'imphash'], 'output': ['yara']}
def extract_input_attribute(request):
for input_type in mispattributes['input']:
if input_type in request:
return input_type, request[input_type]
def get_hash_condition(hashtype, hashvalue): def get_hash_condition(hashtype, hashvalue):
hashvalue = hashvalue.lower() hashvalue = hashvalue.lower()
required_module, params = ('pe', '()') if hashtype == 'imphash' else ('hash', '(0, filesize)') required_module, params = ('pe', '()') if hashtype == 'imphash' else ('hash', '(0, filesize)')
@ -24,11 +30,11 @@ def handler(q=False):
if q is False: if q is False:
return False return False
request = json.loads(q) request = json.loads(q)
del request['module'] attribute = extract_input_attribute(request)
if 'event_id' in request: if attribute is None:
del request['event_id'] return {'error': f'Wrong input type, please choose in the following: {", ".join(mispattributes["input"])}'}
uuid = request.pop('attribute_uuid') if 'attribute_uuid' in request else None uuid = request.pop('attribute_uuid') if 'attribute_uuid' in request else None
attribute_type, value = list(request.items())[0] attribute_type, value = attribute
if 'filename' in attribute_type: if 'filename' in attribute_type:
_, attribute_type = attribute_type.split('|') _, attribute_type = attribute_type.split('|')
_, value = value.split('|') _, value = value.split('|')