Update vmray_submit

The submit module hat some smaller issues with the reanalyze flag.
The source for the enrichment object has been changed and the robustness
of user supplied config parsing improved.
pull/393/head
Matthias Meidinger 2020-04-23 14:47:48 +02:00
parent be27869903
commit ebf71a371b
1 changed files with 19 additions and 32 deletions

View File

@ -1,7 +1,7 @@
#!/usr/bin/env python3
'''
Submit sample to VMRay.
Submit sample to VMRay.
Requires "vmray_rest_api"
@ -14,6 +14,7 @@ as a cron job
import json
import base64
from distutils.util import strtobool
import io
import zipfile
@ -22,7 +23,7 @@ from ._vmray.vmray_rest_api import VMRayRESTAPI
misperrors = {'error': 'Error'}
mispattributes = {'input': ['attachment', 'malware-sample'], 'output': ['text', 'sha1', 'sha256', 'md5', 'link']}
moduleinfo = {'version': '0.2', 'author': 'Koen Van Impe',
moduleinfo = {'version': '0.3', 'author': 'Koen Van Impe',
'description': 'Submit a sample to VMRay',
'module-type': ['expansion']}
moduleconfig = ['apikey', 'url', 'shareable', 'do_not_reanalyze', 'do_not_include_vmrayjobids']
@ -71,25 +72,13 @@ def handler(q=False):
do_not_reanalyze = request["config"].get("do_not_reanalyze")
do_not_include_vmrayjobids = request["config"].get("do_not_include_vmrayjobids")
# Do we want the sample to be shared?
if shareable == "True":
shareable = True
else:
shareable = False
# Always reanalyze the sample?
if do_not_reanalyze == "True":
do_not_reanalyze = True
else:
do_not_reanalyze = False
reanalyze = not do_not_reanalyze
# Include the references to VMRay job IDs
if do_not_include_vmrayjobids == "True":
do_not_include_vmrayjobids = True
else:
do_not_include_vmrayjobids = False
include_vmrayjobids = not do_not_include_vmrayjobids
try:
shareable = bool(strtobool(shareable)) # Do we want the sample to be shared?
reanalyze = not bool(strtobool(do_not_reanalyze)) # Always reanalyze the sample?
include_vmrayjobids = not bool(strtobool(do_not_include_vmrayjobids)) # Include the references to VMRay job IDs
except ValueError:
misperrors["error"] = "Error while processing settings. Please double-check your values."
return misperrors
if data and sample_filename:
args = {}
@ -99,7 +88,7 @@ def handler(q=False):
try:
vmraydata = vmraySubmit(api, args)
if vmraydata["errors"]:
if vmraydata["errors"] and "Submission not stored" not in vmraydata["errors"][0]["error_msg"]:
misperrors['error'] = "VMRay: %s" % vmraydata["errors"][0]["error_msg"]
return misperrors
else:
@ -125,22 +114,20 @@ def vmrayProcess(vmraydata):
''' Process the JSON file returned by vmray'''
if vmraydata:
try:
submissions = vmraydata["submissions"][0]
sample = vmraydata["samples"][0]
jobs = vmraydata["jobs"]
# Result received?
if submissions and jobs:
if sample:
r = {'results': []}
r['results'].append({'types': 'md5', 'values': submissions['submission_sample_md5']})
r['results'].append({'types': 'sha1', 'values': submissions['submission_sample_sha1']})
r['results'].append({'types': 'sha256', 'values': submissions['submission_sample_sha256']})
r['results'].append({'types': 'text', 'values': 'VMRay Sample ID: %s' % submissions['submission_sample_id'], 'tags': 'workflow:state="incomplete"'})
r['results'].append({'types': 'text', 'values': 'VMRay Submission ID: %s' % submissions['submission_id']})
r['results'].append({'types': 'text', 'values': 'VMRay Submission Sample IP: %s' % submissions['submission_ip_ip']})
r['results'].append({'types': 'link', 'values': submissions['submission_webif_url']})
r['results'].append({'types': 'md5', 'values': sample['sample_md5hash']})
r['results'].append({'types': 'sha1', 'values': sample['sample_sha1hash']})
r['results'].append({'types': 'sha256', 'values': sample['sample_sha256hash']})
r['results'].append({'types': 'text', 'values': 'VMRay Sample ID: %s' % sample['sample_id'], 'tags': 'workflow:state="incomplete"'})
r['results'].append({'types': 'link', 'values': sample['sample_webif_url']})
# Include data from different jobs
if include_vmrayjobids:
if include_vmrayjobids and len(jobs) > 0:
for job in jobs:
job_id = job["job_id"]
job_vm_name = job["job_vm_name"]