MISP
/
misp-modules
mirror of https://github.com/MISP/misp-modules
2
0
Fork 0
Code Issues Releases Wiki Activity
Modules for expansion services, import and export in MISP http://misp.github.io/misp-modules
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1101 Commits
25 Branches
27 Tags
13 MiB
 
 
 
 
Tree: 181e6383a3
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '181e6383a3'
${ noResults }
misp-modules/misp_modules/modules/expansion/yara_query.py

54 lines
2.1 KiB
Raw Blame History

import json
import re
try:
import yara
except (OSError, ImportError):
print("yara is missing, use 'pip3 install -I -r REQUIREMENTS' from the root of this repository to install it.")
misperrors = {'error': 'Error'}
moduleinfo = {'version': '1', 'author': 'Christian STUDER',
'description': 'Yara export for hashes.',
'module-type': ['expansion', 'hover'],
'require_standard_format': True}
moduleconfig = []
mispattributes = {'input': ['md5', 'sha1', 'sha256', 'filename|md5', 'filename|sha1', 'filename|sha256', 'imphash'], 'output': ['yara']}
def get_hash_condition(hashtype, hashvalue):
hashvalue = hashvalue.lower()
required_module, params = ('pe', '()') if hashtype == 'imphash' else ('hash', '(0, filesize)')
return '{}.{}{} == "{}"'.format(required_module, hashtype, params, hashvalue), required_module
def handler(q=False):
if q is False:
return False
request = json.loads(q)
del request['module']
if 'event_id' in request:
del request['event_id']
uuid = request.pop('attribute_uuid') if 'attribute_uuid' in request else None
attribute_type, value = list(request.items())[0]
if 'filename' in attribute_type:
_, attribute_type = attribute_type.split('|')
_, value = value.split('|')
condition, required_module = get_hash_condition(attribute_type, value)
import_section = 'import "{}"'.format(required_module)
rule_start = '%s\r\nrule %s_%s {' % (import_section, attribute_type.upper(), re.sub(r'\W+', '_', uuid)) if uuid else '%s\r\nrule %s {' % (import_section, attribute_type.upper())
condition = '\tcondition:\r\n\t\t{}'.format(condition)
rule = '\r\n'.join([rule_start, condition, '}'])
try:
yara.compile(source=rule)
except Exception as e:
misperrors['error'] = 'Syntax error: {}'.format(e)
return misperrors
return {'results': [{'types': mispattributes['output'], 'values': rule}]}
def introspection():
return mispattributes
def version():
moduleinfo['config'] = moduleconfig
return moduleinfo