From d1308f9924d67a04df11ca9841517feda808be8f Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Fri, 2 Nov 2018 21:35:02 +0100 Subject: [PATCH 1/3] chg: Validating yara rules after their creation --- misp_modules/modules/expansion/yara_query.py | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/misp_modules/modules/expansion/yara_query.py b/misp_modules/modules/expansion/yara_query.py index a071bb4..565030c 100644 --- a/misp_modules/modules/expansion/yara_query.py +++ b/misp_modules/modules/expansion/yara_query.py @@ -1,5 +1,9 @@ import json import re +try: + import yara +except (OSError, ImportError): + print("yara is missing, use 'pip3 install yara' to install it.") misperrors = {'error': 'Error'} moduleinfo = {'version': '1', 'author': 'Christian STUDER', @@ -30,7 +34,12 @@ def handler(q=False): rule_start = 'import "hash" \r\nrule %s_%s {' % (attribute_type.upper(), re.sub(r'\W+', '_', uuid)) if uuid else 'import "hash"\r\nrule %s {' % attribute_type.upper() condition = '\tcondition:\r\n\t\t{}'.format(condition) rule = '\r\n'.join([rule_start, condition, '}']) - return {'results': [{'types': mispattributes['output'], 'values': [rule]}]} + try: + yara.compile(source=rule) + except Exception as e: + misperrors['error'] = 'Syntax error: {}'.format(e) + return misperrors + return {'results': [{'types': mispattributes['output'], 'values': rule}]} def introspection(): return mispattributes From b9f634b506ced81cf4f5d3ff935481084f2ce96a Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Mon, 12 Nov 2018 16:14:54 +0100 Subject: [PATCH 2/3] fix: Specifying a yara-python version that works for hash & pe yara modules --- REQUIREMENTS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/REQUIREMENTS b/REQUIREMENTS index cfaf9ad..3bbcc88 100644 --- a/REQUIREMENTS +++ b/REQUIREMENTS @@ -21,7 +21,7 @@ domaintools_api pygeoip bs4 oauth2 -yara-python +yara-python==3.8.0 sigmatools stix2-patterns maclookup From 58b3a069bfa333cbc8f66efac5936a4461c9eba0 Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Mon, 12 Nov 2018 16:22:14 +0100 Subject: [PATCH 3/3] fix: Updated yara import error message - Better to 'pip install -I -r REQUIREMENTS' to have the correct yara-python version working for all the modules, than having another one failing with yara hash & pe modules --- misp_modules/modules/expansion/yara_query.py | 2 +- misp_modules/modules/expansion/yara_syntax_validator.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/misp_modules/modules/expansion/yara_query.py b/misp_modules/modules/expansion/yara_query.py index 565030c..9b24c88 100644 --- a/misp_modules/modules/expansion/yara_query.py +++ b/misp_modules/modules/expansion/yara_query.py @@ -3,7 +3,7 @@ import re try: import yara except (OSError, ImportError): - print("yara is missing, use 'pip3 install yara' to install it.") + print("yara is missing, use 'pip3 install -I -r REQUIREMENTS' from the root of this repository to install it.") misperrors = {'error': 'Error'} moduleinfo = {'version': '1', 'author': 'Christian STUDER', diff --git a/misp_modules/modules/expansion/yara_syntax_validator.py b/misp_modules/modules/expansion/yara_syntax_validator.py index c68d934..804ebd9 100644 --- a/misp_modules/modules/expansion/yara_syntax_validator.py +++ b/misp_modules/modules/expansion/yara_syntax_validator.py @@ -3,7 +3,7 @@ import requests try: import yara except (OSError, ImportError): - print("yara is missing, use 'pip3 install yara' to install it.") + print("yara is missing, use 'pip3 install -I -r REQUIREMENTS' from the root of this repository to install it.") misperrors = {'error': 'Error'} mispattributes = {'input': ['yara'], 'output': ['text']}