Ejemplo n.º 1
0
    def _check_attachments(self, attachments, keywords):
        all_filenames = u""
        all_contents = u""

        for i in attachments:
            try:
                all_filenames += i["filename"] + u"\n"

                if i.get("is_archive"):
                    for j in i.get("files"):
                        all_filenames += j["filename"] + u"\n"
                        all_contents += \
                            j["payload"].decode('base64') + u"\n"
                else:
                    all_contents += i["payload"].decode('base64') + u"\n"

            except KeyError:
                continue

            except UnicodeDecodeError:
                continue

        return swt(all_filenames, keywords), swt(all_contents, keywords)
Ejemplo n.º 2
0
    def _search_phishing(self, greedy_data):

        # Reset phishing bitmap
        self._pb.reset_score()

        # Outputs
        targets = set()

        # Get Tokenizer
        mail = greedy_data['tokenizer'][1]
        body = mail.get('body')
        subject = mail.get('subject')
        from_ = mail.get('from')

        # Get Urls in body
        with_urls_body = greedy_data['urls-handler-body'][1]
        urls = None
        if with_urls_body:
            urls = greedy_data['urls-handler-body'][2]

        # Get Urls attachments
        with_urls_attachments = greedy_data['urls-handler-attachments'][1]
        urls_attachments = None
        if with_urls_attachments:
            urls_attachments = greedy_data['urls-handler-attachments'][2]

        # Get Attachments
        with_attachments = greedy_data['attachments'][1]
        attachments = None
        if with_attachments:
            attachments = greedy_data['attachments'][2]

        # Check body
        if body:
            for k, v in self._t_keys.iteritems():
                if swt(body, v):
                    targets.add(k)
                    if 'mail_body' not in self._pb.score_properties:
                        self._pb.set_property_score("mail_body")

        # Check urls body
        # Target not added because urls come from body
        if urls:
            for k, v in self._t_keys.iteritems():
                if 'urls_body' not in self._pb.score_properties:
                    if self._check_urls(urls, v):
                        self._pb.set_property_score("urls_body")

        # Check from
        if from_:
            for k, v in self._t_keys.iteritems():
                if swt(from_, v):
                    targets.add(k)
                    if 'mail_from' not in self._pb.score_properties:
                        self._pb.set_property_score("mail_from")

        # Check attachments filename and text match
        if with_attachments:
            for k, v in self._t_keys.iteritems():
                filename_match, text_match = \
                    self._check_attachments(attachments, v)

                if filename_match or text_match:
                    targets.add(k)

                if (filename_match and
                        'filename_attachments' not in
                        self._pb.score_properties):
                    self._pb.set_property_score("filename_attachments")

                if (text_match and
                        'text_attachments' not in self._pb.score_properties):
                    self._pb.set_property_score("text_attachments")

        # Check urls attachments
        # Target not added because urls come from attachments content
        if urls_attachments:
            for k, v in self._t_keys.iteritems():
                if 'urls_attachments' not in self._pb.score_properties:
                    if self._check_urls(urls_attachments, v):
                        self._pb.set_property_score("urls_attachments")

        # Check subject
        if swt(subject, self._s_keys):
            if 'mail_subject' not in self._pb.score_properties:
                self._pb.set_property_score("mail_subject")

        return self._pb.score, targets
Ejemplo n.º 3
0
 def _check_urls(self, urls, keywords):
     for domain, details in urls.iteritems():
         for i in details:
             if swt(i['url'], keywords):
                 return True