mirror of https://github.com/MISP/misp-modules
Update vmray_submit
The submit module hat some smaller issues with the reanalyze flag. The source for the enrichment object has been changed and the robustness of user supplied config parsing improved.pull/393/head
parent
be27869903
commit
ebf71a371b
|
@ -1,7 +1,7 @@
|
|||
#!/usr/bin/env python3
|
||||
|
||||
'''
|
||||
Submit sample to VMRay.
|
||||
Submit sample to VMRay.
|
||||
|
||||
Requires "vmray_rest_api"
|
||||
|
||||
|
@ -14,6 +14,7 @@ as a cron job
|
|||
|
||||
import json
|
||||
import base64
|
||||
from distutils.util import strtobool
|
||||
|
||||
import io
|
||||
import zipfile
|
||||
|
@ -22,7 +23,7 @@ from ._vmray.vmray_rest_api import VMRayRESTAPI
|
|||
|
||||
misperrors = {'error': 'Error'}
|
||||
mispattributes = {'input': ['attachment', 'malware-sample'], 'output': ['text', 'sha1', 'sha256', 'md5', 'link']}
|
||||
moduleinfo = {'version': '0.2', 'author': 'Koen Van Impe',
|
||||
moduleinfo = {'version': '0.3', 'author': 'Koen Van Impe',
|
||||
'description': 'Submit a sample to VMRay',
|
||||
'module-type': ['expansion']}
|
||||
moduleconfig = ['apikey', 'url', 'shareable', 'do_not_reanalyze', 'do_not_include_vmrayjobids']
|
||||
|
@ -71,25 +72,13 @@ def handler(q=False):
|
|||
do_not_reanalyze = request["config"].get("do_not_reanalyze")
|
||||
do_not_include_vmrayjobids = request["config"].get("do_not_include_vmrayjobids")
|
||||
|
||||
# Do we want the sample to be shared?
|
||||
if shareable == "True":
|
||||
shareable = True
|
||||
else:
|
||||
shareable = False
|
||||
|
||||
# Always reanalyze the sample?
|
||||
if do_not_reanalyze == "True":
|
||||
do_not_reanalyze = True
|
||||
else:
|
||||
do_not_reanalyze = False
|
||||
reanalyze = not do_not_reanalyze
|
||||
|
||||
# Include the references to VMRay job IDs
|
||||
if do_not_include_vmrayjobids == "True":
|
||||
do_not_include_vmrayjobids = True
|
||||
else:
|
||||
do_not_include_vmrayjobids = False
|
||||
include_vmrayjobids = not do_not_include_vmrayjobids
|
||||
try:
|
||||
shareable = bool(strtobool(shareable)) # Do we want the sample to be shared?
|
||||
reanalyze = not bool(strtobool(do_not_reanalyze)) # Always reanalyze the sample?
|
||||
include_vmrayjobids = not bool(strtobool(do_not_include_vmrayjobids)) # Include the references to VMRay job IDs
|
||||
except ValueError:
|
||||
misperrors["error"] = "Error while processing settings. Please double-check your values."
|
||||
return misperrors
|
||||
|
||||
if data and sample_filename:
|
||||
args = {}
|
||||
|
@ -99,7 +88,7 @@ def handler(q=False):
|
|||
|
||||
try:
|
||||
vmraydata = vmraySubmit(api, args)
|
||||
if vmraydata["errors"]:
|
||||
if vmraydata["errors"] and "Submission not stored" not in vmraydata["errors"][0]["error_msg"]:
|
||||
misperrors['error'] = "VMRay: %s" % vmraydata["errors"][0]["error_msg"]
|
||||
return misperrors
|
||||
else:
|
||||
|
@ -125,22 +114,20 @@ def vmrayProcess(vmraydata):
|
|||
''' Process the JSON file returned by vmray'''
|
||||
if vmraydata:
|
||||
try:
|
||||
submissions = vmraydata["submissions"][0]
|
||||
sample = vmraydata["samples"][0]
|
||||
jobs = vmraydata["jobs"]
|
||||
|
||||
# Result received?
|
||||
if submissions and jobs:
|
||||
if sample:
|
||||
r = {'results': []}
|
||||
r['results'].append({'types': 'md5', 'values': submissions['submission_sample_md5']})
|
||||
r['results'].append({'types': 'sha1', 'values': submissions['submission_sample_sha1']})
|
||||
r['results'].append({'types': 'sha256', 'values': submissions['submission_sample_sha256']})
|
||||
r['results'].append({'types': 'text', 'values': 'VMRay Sample ID: %s' % submissions['submission_sample_id'], 'tags': 'workflow:state="incomplete"'})
|
||||
r['results'].append({'types': 'text', 'values': 'VMRay Submission ID: %s' % submissions['submission_id']})
|
||||
r['results'].append({'types': 'text', 'values': 'VMRay Submission Sample IP: %s' % submissions['submission_ip_ip']})
|
||||
r['results'].append({'types': 'link', 'values': submissions['submission_webif_url']})
|
||||
r['results'].append({'types': 'md5', 'values': sample['sample_md5hash']})
|
||||
r['results'].append({'types': 'sha1', 'values': sample['sample_sha1hash']})
|
||||
r['results'].append({'types': 'sha256', 'values': sample['sample_sha256hash']})
|
||||
r['results'].append({'types': 'text', 'values': 'VMRay Sample ID: %s' % sample['sample_id'], 'tags': 'workflow:state="incomplete"'})
|
||||
r['results'].append({'types': 'link', 'values': sample['sample_webif_url']})
|
||||
|
||||
# Include data from different jobs
|
||||
if include_vmrayjobids:
|
||||
if include_vmrayjobids and len(jobs) > 0:
|
||||
for job in jobs:
|
||||
job_id = job["job_id"]
|
||||
job_vm_name = job["job_vm_name"]
|
||||
|
|
Loading…
Reference in New Issue