Beispiel #1
0
 def __init__(self, name, lastline_url, lastline_api_key, lastline_api_token, verify_ssl=False):
     super(LastlineProvider, self).__init__(name)
     self.lastline_analysis = AnalysisClient(lastline_url, lastline_api_key, lastline_api_token,
                                             verify_ssl=verify_ssl)
     self.feed_link_prefix = "%s/malscape/#/task/" % lastline_url
     if self.feed_link_prefix.lower().find("analysis.lastline.com") >= 0:
         self.feed_link_prefix = "https://user.lastline.com/malscape/#/task/"
Beispiel #2
0
    def _init_client(self):
        if not self._key:
            raise ValueError('Missing "key" config option')
        if not self._api_token:
            raise ValueError('Missing "api_token" config option')

        return AnalysisClient(self._url, self._key, self._api_token)  # noqa
 def __init__(self, name, lastline_url, lastline_api_key, lastline_api_token, verify_ssl=False):
     super(LastlineProvider, self).__init__(name)
     self.lastline_analysis = AnalysisClient(lastline_url, lastline_api_key, lastline_api_token,
                                             verify_ssl=verify_ssl)
     self.feed_link_prefix = "%s/malscape/#/task/" % lastline_url
     if self.feed_link_prefix.lower().find("analysis.lastline.com") >= 0:
         self.feed_link_prefix = "https://user.lastline.com/malscape/#/task/"
Beispiel #4
0
    def _init_client(self):
        url = self.config.get('url', 'https://analysis.lastline.com')
        key = self.config.get('key')
        api_token = self.config.get('api_token')

        if not key:
            return ValueError('Missing "key" config option')
        if not api_token:
            return ValueError('Missing "api_token" config option')

        return AnalysisClient(url, key, api_token)  # noqa
Beispiel #5
0
class LastlineProvider(BinaryAnalysisProvider):
    def __init__(self, name, lastline_url, lastline_api_key, lastline_api_token, verify_ssl=False):
        super(LastlineProvider, self).__init__(name)
        self.lastline_analysis = AnalysisClient(lastline_url, lastline_api_key, lastline_api_token,
                                                verify_ssl=verify_ssl)
        self.feed_link_prefix = "%s/malscape/#/task/" % lastline_url
        if self.feed_link_prefix.lower().find("analysis.lastline.com") >= 0:
            self.feed_link_prefix = "https://user.lastline.com/malscape/#/task/"

    def get_uuid(self, response):
        try:
            task_uuid = response.get('data', {}).get('task_uuid', None)
        except AttributeError:
            raise AnalysisTemporaryError(message="Invalid response from LastLine: %s" % response, retry_in=120)
        else:
            if not task_uuid:
                raise AnalysisTemporaryError(message="No UUID for result: %s" % response, retry_in=120)

        return task_uuid

    def make_result(self, task_uuid):
        try:
            result = self.lastline_analysis.get_result(task_uuid)
            result = result.get('data', {})
        except Exception as e:
            raise AnalysisTemporaryError(message="API error: %s" % str(e), retry_in=120)
        else:
            if 'error' in result:
                raise AnalysisTemporaryError(message=result['error'], retry_in=120)
            score = int(result.get('score', 0))
            if score == 0:
                malware_result = "Benign"
            else:
                reasons = "; ".join(result.get('malicious_activity', []))
                malware_result = "Potential malware: %s" % reasons

            return AnalysisResult(message=malware_result, extended_message="",
                                  link=re.sub("(?<!:)/{2,}", "/", "%s/%s" % (self.feed_link_prefix, task_uuid)),
                                  score=score)

    def check_result_for(self, md5sum):
        try:
            response = self.lastline_analysis.submit_file_hash(md5=md5sum)
        except FileNotAvailableError as e:
            # the file does not exist yet.
            return None
        except AnalysisAPIError as e:
            raise AnalysisTemporaryError(message="API error: %s" % str(e), retry_in=120)
        else:
            task_uuid = self.get_uuid(response)
            return self.make_result(task_uuid)

    def analyze_binary(self, md5sum, binary_file_stream):
        log.info("Submitting binary %s to LastLine" % md5sum)

        try:
            response = self.lastline_analysis.submit_file(binary_file_stream)
        except AnalysisAPIError as e:
            raise AnalysisTemporaryError(message="API error: %s" % str(e), retry_in=120)

        task_uuid = self.get_uuid(response)

        retries = 10
        while retries:
            sleep(10)
            result = self.lastline_analysis.get_progress(task_uuid)
            if result.get('data', {}).get('completed', 0) == 1:
                return self.make_result(task_uuid)
            retries -= 1

        raise AnalysisTemporaryError(message="Maximum retries (10) exceeded submitting to LastLine", retry_in=120)
class LastlineProvider(BinaryAnalysisProvider):
    def __init__(self, name, lastline_url, lastline_api_key, lastline_api_token, verify_ssl=False):
        super(LastlineProvider, self).__init__(name)
        self.lastline_analysis = AnalysisClient(lastline_url, lastline_api_key, lastline_api_token,
                                                verify_ssl=verify_ssl)
        self.feed_link_prefix = "%s/malscape/#/task/" % lastline_url
        if self.feed_link_prefix.lower().find("analysis.lastline.com") >= 0:
            self.feed_link_prefix = "https://user.lastline.com/malscape/#/task/"

    def get_uuid(self, response):
        try:
            task_uuid = response.get('data', {}).get('task_uuid', None)
        except AttributeError:
            raise AnalysisTemporaryError(message="Invalid response from LastLine: %s" % response, retry_in=120)
        else:
            if not task_uuid:
                raise AnalysisTemporaryError(message="No UUID for result: %s" % response, retry_in=120)

        return task_uuid

    def make_result(self, task_uuid):
        try:
            result = self.lastline_analysis.get_result(task_uuid)
            result = result.get('data', {})
        except Exception as e:
            raise AnalysisTemporaryError(message="API error: %s" % str(e), retry_in=120)
        else:
            if 'error' in result:
                raise AnalysisTemporaryError(message=result['error'], retry_in=120)
            score = int(result.get('score', 0))
            if score == 0:
                malware_result = "Benign"
            else:
                reasons = "; ".join(result.get('malicious_activity', []))
                malware_result = "Potential malware: %s" % reasons

            return AnalysisResult(message=malware_result, extended_message="",
                                  link=re.sub("(?<!:)/{2,}", "/", "%s/%s" % (self.feed_link_prefix, task_uuid)),
                                  score=score)

    def check_result_for(self, md5sum):
        try:
            response = self.lastline_analysis.submit_file_hash(md5=md5sum)
        except FileNotAvailableError as e:
            # the file does not exist yet.
            return None
        except AnalysisAPIError as e:
            raise AnalysisTemporaryError(message="API error: %s" % str(e), retry_in=120)
        else:
            task_uuid = self.get_uuid(response)
            return self.make_result(task_uuid)

    def analyze_binary(self, md5sum, binary_file_stream):
        log.info("Submitting binary %s to LastLine" % md5sum)

        try:
            response = self.lastline_analysis.submit_file(binary_file_stream)
        except AnalysisAPIError as e:
            raise AnalysisTemporaryError(message="API error: %s" % str(e), retry_in=120)

        task_uuid = self.get_uuid(response)

        retries = 10
        while retries:
            sleep(10)
            result = self.lastline_analysis.get_progress(task_uuid)
            if result.get('data', {}).get('completed', 0) == 1:
                return self.make_result(task_uuid)
            retries -= 1

        raise AnalysisTemporaryError(message="Maximum retries (10) exceeded submitting to LastLine", retry_in=120)