mirror of https://github.com/MISP/misp-modules
71 lines
3.1 KiB
Python
71 lines
3.1 KiB
Python
import json
|
|
import re
|
|
try:
|
|
import yara
|
|
except (OSError, ImportError):
|
|
print("yara is missing, use 'pip3 install -I -r REQUIREMENTS' from the root of this repository to install it.")
|
|
|
|
misperrors = {'error': 'Error'}
|
|
moduleinfo = {
|
|
'version': '1',
|
|
'author': 'Christian STUDER',
|
|
'description': 'jj',
|
|
'module-type': ['expansion', 'hover'],
|
|
'name': 'YARA Rule Generator',
|
|
'require_standard_format': True,
|
|
'logo': 'yara.png',
|
|
'requirements': ['yara-python python library'],
|
|
'features': "The module takes a hash attribute (md5, sha1, sha256, imphash) as input, and is returning a YARA rule from it. This YARA rule is also validated using the same method as in 'yara_syntax_validator' module.\nBoth hover and expansion functionalities are supported with this module, where the hover part is displaying the resulting YARA rule and the expansion part allows you to add the rule as a new attribute, as usual with expansion modules.",
|
|
'references': ['https://virustotal.github.io/yara/', 'https://github.com/virustotal/yara-python'],
|
|
'input': 'MISP Hash attribute (md5, sha1, sha256, imphash, or any of the composite attribute with filename and one of the previous hash type).',
|
|
'output': 'YARA rule.',
|
|
}
|
|
moduleconfig = []
|
|
mispattributes = {'input': ['md5', 'sha1', 'sha256', 'filename|md5', 'filename|sha1', 'filename|sha256', 'imphash'], 'output': ['yara']}
|
|
|
|
|
|
def extract_input_attribute(request):
|
|
for input_type in mispattributes['input']:
|
|
if input_type in request:
|
|
return input_type, request[input_type]
|
|
|
|
|
|
def get_hash_condition(hashtype, hashvalue):
|
|
hashvalue = hashvalue.lower()
|
|
required_module, params = ('pe', '()') if hashtype == 'imphash' else ('hash', '(0, filesize)')
|
|
return '{}.{}{} == "{}"'.format(required_module, hashtype, params, hashvalue), required_module
|
|
|
|
|
|
def handler(q=False):
|
|
if q is False:
|
|
return False
|
|
request = json.loads(q)
|
|
attribute = extract_input_attribute(request)
|
|
if attribute is None:
|
|
return {'error': f'Wrong input type, please choose in the following: {", ".join(mispattributes["input"])}'}
|
|
uuid = request.pop('attribute_uuid') if 'attribute_uuid' in request else None
|
|
attribute_type, value = attribute
|
|
if 'filename' in attribute_type:
|
|
_, attribute_type = attribute_type.split('|')
|
|
_, value = value.split('|')
|
|
condition, required_module = get_hash_condition(attribute_type, value)
|
|
import_section = 'import "{}"'.format(required_module)
|
|
rule_start = '%s\r\nrule %s_%s {' % (import_section, attribute_type.upper(), re.sub(r'\W+', '_', uuid)) if uuid else '%s\r\nrule %s {' % (import_section, attribute_type.upper())
|
|
condition = '\tcondition:\r\n\t\t{}'.format(condition)
|
|
rule = '\r\n'.join([rule_start, condition, '}'])
|
|
try:
|
|
yara.compile(source=rule)
|
|
except Exception as e:
|
|
misperrors['error'] = 'Syntax error: {}'.format(e)
|
|
return misperrors
|
|
return {'results': [{'types': mispattributes['output'], 'values': rule}]}
|
|
|
|
|
|
def introspection():
|
|
return mispattributes
|
|
|
|
|
|
def version():
|
|
moduleinfo['config'] = moduleconfig
|
|
return moduleinfo
|