Exemple #1
0
 def test_hash_file(self):
     filepath = Files.temp_put("hehe")
     assert Files.md5_file(filepath) == "529ca8050a00180790cf88b63468826a"
     assert Files.sha1_file(
         filepath) == "42525bb6d3b0dc06bb78ae548733e8fbb55446b3"
     assert Files.sha256_file(
         filepath
     ) == "0ebe2eca800cf7bd9d9d9f9f4aafbc0c77ae155f43bbbeca69cb256a24c7f9bb"
Exemple #2
0
    def run(self):
        """Runs IRMA processing
        @return: full IRMA report.
        """
        self.key = "irma"

        """ Fall off if we don't deal with files """
        if self.results.get("info", {}).get("category") != "file":
            log.debug("IRMA supports only file scanning !")
            return {}

        self.url = self.options.get("url")
        self.timeout = int(self.options.get("timeout", 60))
        self.scan = int(self.options.get("scan", 0))
        self.force = int(self.options.get("force", 0))

        sha256 = Files.sha256_file(self.file_path)

        results = self._get_results(sha256)

        if not self.force and not self.scan and not results:
            return {}
        elif self.force or (not results and self.scan):
            log.info("File scan requested: %s", sha256)
            self._scan_file(self.file_path, self.force)
            results = self._get_results(sha256) or {}

        """ FIXME! could use a proper fix here
        that probably needs changes on IRMA side aswell
        --
        related to  https://github.com/elastic/elasticsearch/issues/15377
        entropy value is sometimes 0 and sometimes like  0.10191042566270775
        other issue is that results type changes between string and object :/
        """
        for idx, result in enumerate(results["probe_results"]):
            if result["name"] == "PE Static Analyzer":
                log.debug("Ignoring PE results at index {0}".format(idx))
                results["probe_results"][idx]["results"] = "... scrapped ..."

            """ When VT results comes back with 'detected by 0/58' then it gets
            cached as malicious with signature due to the fact that the result
            exists. This is a workaround to override that tragedy and make it
            compatible with other results.
            """
            if result["name"] == "VirusTotal" \
                    and results["probe_results"][idx]["results"].startswith("detected by 0/"):
                log.debug("Fixing empty match from VT")
                results["probe_results"][idx]["status"] = 0
                results["probe_results"][idx]["results"] = None

        return results
Exemple #3
0
    def run(self):
        """Runs IRMA processing
        @return: full IRMA report.
        """
        self.key = "irma"

        """ Fall off if we don't deal with files """
        if self.results.get("info", {}).get("category") != "file":
            log.debug("IRMA supports only file scanning !")
            return {}

        self.url = self.options.get("url")
        self.timeout = int(self.options.get("timeout", 60))
        self.scan = int(self.options.get("scan", 0))
        self.force = int(self.options.get("force", 0))

        sha256 = Files.sha256_file(self.file_path)

        results = self._get_results(sha256)

        if not self.force and not self.scan and not results:
            return {}
        elif self.force or (not results and self.scan):
            log.info("File scan requested: %s", sha256)
            self._scan_file(self.file_path, self.force)
            results = self._get_results(sha256) or {}

        """ FIXME! could use a proper fix here
        that probably needs changes on IRMA side aswell
        --
        related to  https://github.com/elastic/elasticsearch/issues/15377
        entropy value is sometimes 0 and sometimes like  0.10191042566270775
        other issue is that results type changes between string and object :/
        """
        for idx, result in enumerate(results["probe_results"]):
            if result["name"] == "PE Static Analyzer":
                log.debug("Ignoring PE results at index {0}".format(idx))
                results["probe_results"][idx]["results"] = "... scrapped ..."

        return results
Exemple #4
0
    def run(self):
        """Runs IRMA processing
        @return: full IRMA report.
        """
        self.key = "irma"
        """ Fall off if we don't deal with files """
        if self.results.get("info", {}).get("category") != "file":
            log.debug("IRMA supports only file scanning !")
            return {}

        self.url = self.options.get("url")
        self.timeout = int(self.options.get("timeout", 60))
        self.scan = int(self.options.get("scan", 0))
        self.force = int(self.options.get("force", 0))

        sha256 = Files.sha256_file(self.file_path)

        results = self._get_results(sha256)

        if not self.force and not self.scan and not results:
            return {}
        elif self.force or (not results and self.scan):
            log.info("File scan requested: %s", sha256)
            self._scan_file(self.file_path, self.force)
            results = self._get_results(sha256) or {}
        """ FIXME! could use a proper fix here
        that probably needs changes on IRMA side aswell
        --
        related to  https://github.com/elastic/elasticsearch/issues/15377
        entropy value is sometimes 0 and sometimes like  0.10191042566270775
        other issue is that results type changes between string and object :/
        """
        for idx, result in enumerate(results["probe_results"]):
            if result["name"] == "PE Static Analyzer":
                log.debug("Ignoring PE results at index {0}".format(idx))
                results["probe_results"][idx]["results"] = "... scrapped ..."

        return results
Exemple #5
0
 def test_hash_file(self):
     filepath = Files.temp_put("hehe", "/tmp")
     assert Files.md5_file(filepath) == "529ca8050a00180790cf88b63468826a"
     assert Files.sha1_file(filepath) == "42525bb6d3b0dc06bb78ae548733e8fbb55446b3"
     assert Files.sha256_file(filepath) == "0ebe2eca800cf7bd9d9d9f9f4aafbc0c77ae155f43bbbeca69cb256a24c7f9bb"