From 1d530a7fa6a600ff230ef4ab91f9d009e29ab3c4 Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Thu, 18 Oct 2018 14:44:57 +0200 Subject: [PATCH 1/3] new: First version of a yara rule creation expansion module --- misp_modules/modules/expansion/__init__.py | 2 +- misp_modules/modules/expansion/yara_query.py | 44 ++++++++++++++++++++ 2 files changed, 45 insertions(+), 1 deletion(-) create mode 100644 misp_modules/modules/expansion/yara_query.py diff --git a/misp_modules/modules/expansion/__init__.py b/misp_modules/modules/expansion/__init__.py index fce9343..f1c6d7a 100644 --- a/misp_modules/modules/expansion/__init__.py +++ b/misp_modules/modules/expansion/__init__.py @@ -1,3 +1,3 @@ from . import _vmray -__all__ = ['vmray_submit', 'asn_history', 'circl_passivedns', 'circl_passivessl', 'countrycode', 'cve', 'dns', 'domaintools', 'eupi', 'farsight_passivedns', 'ipasn', 'passivetotal', 'sourcecache', 'virustotal', 'whois', 'shodan', 'reversedns', 'geoip_country', 'wiki', 'iprep', 'threatminer', 'otx', 'threatcrowd', 'vulndb', 'crowdstrike_falcon', 'yara_syntax_validator', 'hashdd', 'onyphe', 'onyphe_full', 'rbl', 'xforceexchange', 'sigma_syntax_validator', 'stix2_pattern_syntax_validator', 'sigma_queries', 'dbl_spamhaus', 'vulners'] +__all__ = ['vmray_submit', 'asn_history', 'circl_passivedns', 'circl_passivessl', 'countrycode', 'cve', 'dns', 'domaintools', 'eupi', 'farsight_passivedns', 'ipasn', 'passivetotal', 'sourcecache', 'virustotal', 'whois', 'shodan', 'reversedns', 'geoip_country', 'wiki', 'iprep', 'threatminer', 'otx', 'threatcrowd', 'vulndb', 'crowdstrike_falcon', 'yara_syntax_validator', 'hashdd', 'onyphe', 'onyphe_full', 'rbl', 'xforceexchange', 'sigma_syntax_validator', 'stix2_pattern_syntax_validator', 'sigma_queries', 'dbl_spamhaus', 'vulners', 'yara_query'] diff --git a/misp_modules/modules/expansion/yara_query.py b/misp_modules/modules/expansion/yara_query.py new file mode 100644 index 0000000..89d2e65 --- /dev/null +++ b/misp_modules/modules/expansion/yara_query.py @@ -0,0 +1,44 @@ +import json +import sys + +misperrors = {'error': 'Error'} +moduleinfo = {'version': '1', 'author': 'Christian STUDER', + 'description': 'Yara export for hashes.', + 'module-type': ['expansion', 'hover'], + 'require_standard_format': True} +moduleconfig = [] +mispattributes = {'input': ['md5', 'sha1', 'sha256', 'filename|md5', 'filename|sha1', 'filename|sha256'], 'output': ['yara rule']} + +def hash_cond(hashtype, hashvalue): + condition = 'hash.{}(0, filesize) == {}'.format(hashtype, hashvalue.lower()) + return condition, 'hash' + +def handler(q=False): + if q is False: + return False + request = json.loads(q) + del request['module'] + if 'event_id' in request: + del request['event_id'] + uuid = request.pop('attribute_uuid') if 'attribute_uuid' in request else None + rules = [] + types = [] + for attribute_type, value in request.items(): + if 'filename' in attribute_type: + _, attribute_type = attribute_type.split('|') + _, value = value.split('|') + condition, required_module = hash_cond(attribute_type, value) + condition = '\r\n\t\t'.join([condition]) + import_section = '\r\n'.join(['import "{}"'.format(required_module)]) + rule_start = 'rule %s {' % uuid if uuid else 'rule {' + condition = '\tcondition:\r\n\t\t{}'.format(condition) + rules.append('\r\n'.join([rule_start, condition, '}'])) + types.append('yara') + return {'results': [{'types': [t], 'values': [v]} for t, v in zip(types, rules)]} + +def introspection(): + return mispattributes + +def version(): + moduleinfo['config'] = moduleconfig + return moduleinfo From 1c10fd5e50eab118fbfef87f5d4db7006089ddb9 Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Wed, 31 Oct 2018 10:21:21 +0100 Subject: [PATCH 2/3] fix: Making yara query an expansion module for single attributes atm --- misp_modules/modules/expansion/yara_query.py | 32 +++++++++----------- 1 file changed, 14 insertions(+), 18 deletions(-) diff --git a/misp_modules/modules/expansion/yara_query.py b/misp_modules/modules/expansion/yara_query.py index 89d2e65..a071bb4 100644 --- a/misp_modules/modules/expansion/yara_query.py +++ b/misp_modules/modules/expansion/yara_query.py @@ -1,5 +1,5 @@ import json -import sys +import re misperrors = {'error': 'Error'} moduleinfo = {'version': '1', 'author': 'Christian STUDER', @@ -7,10 +7,10 @@ moduleinfo = {'version': '1', 'author': 'Christian STUDER', 'module-type': ['expansion', 'hover'], 'require_standard_format': True} moduleconfig = [] -mispattributes = {'input': ['md5', 'sha1', 'sha256', 'filename|md5', 'filename|sha1', 'filename|sha256'], 'output': ['yara rule']} +mispattributes = {'input': ['md5', 'sha1', 'sha256', 'filename|md5', 'filename|sha1', 'filename|sha256'], 'output': ['yara']} -def hash_cond(hashtype, hashvalue): - condition = 'hash.{}(0, filesize) == {}'.format(hashtype, hashvalue.lower()) +def get_hash_condition(hashtype, hashvalue): + condition = 'hash.{}(0, filesize) == "{}"'.format(hashtype, hashvalue.lower()) return condition, 'hash' def handler(q=False): @@ -21,20 +21,16 @@ def handler(q=False): if 'event_id' in request: del request['event_id'] uuid = request.pop('attribute_uuid') if 'attribute_uuid' in request else None - rules = [] - types = [] - for attribute_type, value in request.items(): - if 'filename' in attribute_type: - _, attribute_type = attribute_type.split('|') - _, value = value.split('|') - condition, required_module = hash_cond(attribute_type, value) - condition = '\r\n\t\t'.join([condition]) - import_section = '\r\n'.join(['import "{}"'.format(required_module)]) - rule_start = 'rule %s {' % uuid if uuid else 'rule {' - condition = '\tcondition:\r\n\t\t{}'.format(condition) - rules.append('\r\n'.join([rule_start, condition, '}'])) - types.append('yara') - return {'results': [{'types': [t], 'values': [v]} for t, v in zip(types, rules)]} + attribute_type, value = list(request.items())[0] + if 'filename' in attribute_type: + _, attribute_type = attribute_type.split('|') + _, value = value.split('|') + condition, required_module = get_hash_condition(attribute_type, value) + import_section = 'import "{}"'.format(required_module) + rule_start = 'import "hash" \r\nrule %s_%s {' % (attribute_type.upper(), re.sub(r'\W+', '_', uuid)) if uuid else 'import "hash"\r\nrule %s {' % attribute_type.upper() + condition = '\tcondition:\r\n\t\t{}'.format(condition) + rule = '\r\n'.join([rule_start, condition, '}']) + return {'results': [{'types': mispattributes['output'], 'values': [rule]}]} def introspection(): return mispattributes From af0870b59c164bcd9f7f3375570f3159432d431b Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Wed, 31 Oct 2018 10:35:10 +0100 Subject: [PATCH 3/3] Updated list of modules in readme --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 66ca56f..b8bd14d 100644 --- a/README.md +++ b/README.md @@ -53,6 +53,7 @@ For more information: [Extending MISP with Python modules](https://www.circl.lu/ * [whois](misp_modules/modules/expansion) - a module to query a local instance of [uwhois](https://github.com/rafiot/uwhoisd). * [wikidata](misp_modules/modules/expansion/wiki.py) - a [wikidata](https://www.wikidata.org) expansion module. * [xforce](misp_modules/modules/expansion/xforceexchange.py) - an IBM X-Force Exchange expansion module. +* [YARA query](misp_modules/modules/expansion/yara_query.py) - a module to create YARA rules from single hash attributes. * [YARA syntax validator](misp_modules/modules/expansion/yara_syntax_validator.py) - YARA syntax validator. ### Export modules