Merge pull request #245 from chrisr3d/master

YARA rules from hashes expansion module

README.md

@@ -53,6 +53,7 @@ For more information: [Extending MISP with Python modules](https://www.circl.lu/
 * [whois](misp_modules/modules/expansion) - a module to query a local instance of [uwhois](https://github.com/rafiot/uwhoisd).
 * [wikidata](misp_modules/modules/expansion/wiki.py) - a [wikidata](https://www.wikidata.org) expansion module.
 * [xforce](misp_modules/modules/expansion/xforceexchange.py) - an IBM X-Force Exchange expansion module.
+* [YARA query](misp_modules/modules/expansion/yara_query.py) - a module to create YARA rules from single hash attributes.
 * [YARA syntax validator](misp_modules/modules/expansion/yara_syntax_validator.py) - YARA syntax validator.
 
 ### Export modules

misp_modules/modules/expansion/__init__.py

@@ -1,3 +1,3 @@
 from . import _vmray
 
-__all__ = ['vmray_submit', 'asn_history', 'circl_passivedns', 'circl_passivessl', 'countrycode', 'cve', 'dns', 'domaintools', 'eupi', 'farsight_passivedns', 'ipasn', 'passivetotal', 'sourcecache', 'virustotal', 'whois', 'shodan', 'reversedns', 'geoip_country', 'wiki', 'iprep', 'threatminer', 'otx', 'threatcrowd', 'vulndb', 'crowdstrike_falcon', 'yara_syntax_validator', 'hashdd', 'onyphe', 'onyphe_full', 'rbl', 'xforceexchange', 'sigma_syntax_validator', 'stix2_pattern_syntax_validator', 'sigma_queries', 'dbl_spamhaus', 'vulners']
+__all__ = ['vmray_submit', 'asn_history', 'circl_passivedns', 'circl_passivessl', 'countrycode', 'cve', 'dns', 'domaintools', 'eupi', 'farsight_passivedns', 'ipasn', 'passivetotal', 'sourcecache', 'virustotal', 'whois', 'shodan', 'reversedns', 'geoip_country', 'wiki', 'iprep', 'threatminer', 'otx', 'threatcrowd', 'vulndb', 'crowdstrike_falcon', 'yara_syntax_validator', 'hashdd', 'onyphe', 'onyphe_full', 'rbl', 'xforceexchange', 'sigma_syntax_validator', 'stix2_pattern_syntax_validator', 'sigma_queries', 'dbl_spamhaus', 'vulners', 'yara_query']

misp_modules/modules/expansion/yara_query.py

@@ -0,0 +1,40 @@
+import json
+import re
+
+misperrors = {'error': 'Error'}
+moduleinfo = {'version': '1', 'author': 'Christian STUDER',
+              'description': 'Yara export for hashes.',
+              'module-type': ['expansion', 'hover'],
+              'require_standard_format': True}
+moduleconfig = []
+mispattributes = {'input': ['md5', 'sha1', 'sha256', 'filename|md5', 'filename|sha1', 'filename|sha256'], 'output': ['yara']}
+
+def get_hash_condition(hashtype, hashvalue):
+    condition = 'hash.{}(0, filesize) == "{}"'.format(hashtype, hashvalue.lower())
+    return condition, 'hash'
+
+def handler(q=False):
+    if q is False:
+        return False
+    request = json.loads(q)
+    del request['module']
+    if 'event_id' in request:
+        del request['event_id']
+    uuid = request.pop('attribute_uuid') if 'attribute_uuid' in request else None
+    attribute_type, value = list(request.items())[0]
+    if 'filename' in attribute_type:
+        _, attribute_type = attribute_type.split('|')
+        _, value = value.split('|')
+    condition, required_module = get_hash_condition(attribute_type, value)
+    import_section = 'import "{}"'.format(required_module)
+    rule_start = 'import "hash" \r\nrule %s_%s {' % (attribute_type.upper(), re.sub(r'\W+', '_', uuid)) if uuid else 'import "hash"\r\nrule %s {' % attribute_type.upper()
+    condition = '\tcondition:\r\n\t\t{}'.format(condition)
+    rule = '\r\n'.join([rule_start, condition, '}'])
+    return {'results': [{'types': mispattributes['output'], 'values': [rule]}]}
+
+def introspection():
+    return mispattributes
+
+def version():
+    moduleinfo['config'] = moduleconfig
+    return moduleinfo