def run(self): """ .. py:function:: run(self) Main entry point for the class. :param self: current class instance :type self: class """ count = 0 for name, ruleset in _loader.iterate_rulesets(): if self._compile_ruleset(name, ruleset): count += 1 if not count: _log.fault("No YARA rulesets loaded. Quitting.") _log.info("Applying a total of <{}> YARA ruleset(s).".format(count)) del count if not self._dispatch_jobs(): _log.warning("Skipping <{}> module(s) invocation.".format( _models.Post.__name__)) return self._invoke_post_modules()
def run(self): """ .. py:function:: run(self) Main entry point for the class. :param self: current class instance :type self: class """ loaded = { "rulesets": 0, "rules": 0 } for name, ruleset in _loader.iterate_rulesets(): status, count = self._compile_ruleset(name, ruleset) if status: loaded["rulesets"] += 1 loaded["rules"] += count if not loaded["rulesets"]: _log.fault("No YARA ruleset(s) loaded. Quitting.") _log.info("Applying a total of <{}> YARA rule(s) from <{}> ruleset(s).".format(loaded["rules"], loaded["rulesets"])) del loaded if not self._dispatch_jobs(): _log.warning("Skipping <{}> module(s) invocation.".format(_models.Post.__name__)) return self._invoke_post_modules()
def run(self): """ .. py:function:: run(self) Main entry point for the class. :param self: current class instance :type self: class """ with self._open_output_file() as self.output: self._read_queue() with self.results[0], _magic.OverrideConsoleLogging("WARNING"): _log.warning( "Total of <{}> matching pattern(s). See <{}> for more details." .format(self.results[1].value, self.target["target"] )) if self.results[1].value else _log.info( "No matching pattern(s) found.") self._store_matching_evidences()
def run(self): """ .. py:function:: run(self) Main entry point for the module. :param self: current class instance :type self: class """ tmp = self.case.require_temporary_directory() for evidence in self.feed: try: mail = eml_parser.eml_parser.decode_email( evidence, include_raw_body=True, include_attachment_data=True) _log.info("Extracted <{}> attachment(s) from <{}>.".format( len(mail["attachment"]), evidence)) except Exception: _log.exception( "Failed to extract data from <{}>. Ignoring evidence.". format(evidence)) continue output_directory = os.path.join(tmp, os.path.basename(evidence)) if not os.path.isdir(output_directory): _fs.create_local_directory(output_directory) for attachment in mail["attachment"]: if not attachment["filename"]: attachment["filename"] = idx if not _fs.matches_patterns(attachment["filename"], self.case.arguments._include): _log.warning( "Ignoring attachment <{}> not matching inner inclusion pattern(s)." .format(attachment["filename"])) continue if _fs.matches_patterns(attachment["filename"], self.case.arguments._exclude): _log.warning( "Ignoring attachment <{}> matching inner exclusion pattern(s)." .format(attachment["filename"])) continue output_path = os.path.join(output_directory, attachment["filename"]) with open(output_path, "wb") as out: out.write(base64.b64decode(attachment["raw"])) _log.debug( "Attachment <{}> extracted from <{}> stored locally as <{}>." .format(attachment["filename"], evidence, output_path)) self.case.track_file(output_path)