def _run(self, scanObject, result, depth, args):
moduleResult = []
flags = []
buffer = scanObject.buffer
cert = None
try:
#scanObject.addMetadata(self.module_name, key, value)
input_bio = BIO.MemoryBuffer(buffer)
#Check for PEM or DER
if buffer[:1] == "0":
#DER
p7 = SMIME.PKCS7(m2.pkcs7_read_bio_der(input_bio._ptr()), 1)
else:
#PEM
p7 = SMIME.load_pkcs7_bio(input_bio)
certs = p7.get0_signers(X509.X509_Stack())
#some pkcs7's should have more than one certificate in them. openssl can extract them handily.
#openssl pkcs7 -inform der -print_certs -in MYKEY.DSA
i=0
for cert in certs:
cert_filename = "%x.der" % (cert.get_serial_number())
moduleResult.append(ModuleObject(buffer=cert.as_der(),externalVars=ExternalVars(filename=cert_filename)))
i = i + 1
except (QuitScanException, GlobalScanTimeoutError, GlobalModuleTimeoutError):
raise
except:
exc_type, exc_value, exc_traceback = sys.exc_info()
logging.exception("Error parsing cert in "+str(get_scanObjectUID(getRootObject(result))))
ugly_error_string = str(exc_value)
#nicer_error_string = string.split(string.split(ugly_error_string,":")[4])[0]
nicer_error_string = ugly_error_string.split(":")[4].split()[0]
scanObject.addFlag("pkcs7:err:"+nicer_error_string)
return moduleResult
def _run(self, scanObject, result, depth, args):
moduleResult = []
flags = []
buffer = scanObject.buffer
cert = None
try:
#scanObject.addMetadata(self.module_name, key, value)
input_bio = BIO.MemoryBuffer(buffer)
#Check for PEM or DER
if buffer[:1] == "0":
#DER
p7 = SMIME.PKCS7(m2.pkcs7_read_bio_der(input_bio._ptr()), 1)
else:
#PEM
p7 = SMIME.load_pkcs7_bio(input_bio)
certs = p7.get0_signers(X509.X509_Stack())
#some pkcs7's should have more than one certificate in them. openssl can extract them handily.
#openssl pkcs7 -inform der -print_certs -in MYKEY.DSA
i = 0
for cert in certs:
cert_filename = "%x.der" % (cert.get_serial_number())
moduleResult.append(
ModuleObject(
buffer=cert.as_der(),
externalVars=ExternalVars(filename=cert_filename)))
i = i + 1
except (QuitScanException, GlobalScanTimeoutError,
GlobalModuleTimeoutError):
raise
except:
exc_type, exc_value, exc_traceback = sys.exc_info()
logging.exception("Error parsing cert in " +
str(get_scanObjectUID(getRootObject(result))))
ugly_error_string = str(exc_value)
#nicer_error_string = string.split(string.split(ugly_error_string,":")[4])[0]
nicer_error_string = ugly_error_string.split(":")[4].split()[0]
scanObject.addFlag("pkcs7:err:" + nicer_error_string)
return moduleResult
def _run(self, scanObject, result, depth, args):
#Initialization
moduleResult = []
verbose = False
resultDict = {}
strMatches = ""
#Read arguments
if 'verbose' in args:
verbose = True
#Populate static metadata
resultDict['Disposition_File'] = config.yaradispositionrules
resultDict['Result'] = "Disposition Not Initialized"
#Get scanObject uID for flag_rollup and rollup flags
myUID = get_scanObjectUID(scanObject)
flag_rollup = self._rollupToMe(result, myUID)
resultDict['Input_Flags'] = flag_rollup
if verbose:
log_module("MSG",
self.module_name,
0,
scanObject,
result,
msg="dispositon_email: flag rollup: %s" % flag_rollup)
try:
matches = yara_on_demand(config.yaradispositionrules,
' '.join(flag_rollup))
lstStrMatches = [str(match) for match in matches]
resultDict['Matches'] = lstStrMatches
if matches:
strMatches = ' '.join(lstStrMatches)
except SyntaxError:
log_module_error(
self.module_name, scanObject, result,
"Error Compiling YARA rules file at: " +
config.yaradispositionrules)
resultDict['Result'] = "YARA RULE SYNTAX ERROR"
resultDict['Result'] = "Accept"
for match in resultDict['Matches']:
if match.startswith("Deny"):
resultDict['Result'] = "Deny"
scanObject.addMetadata(self.module_name, 'Disposition', resultDict)
return moduleResult
def _run(self, scanObject, result, depth, args):
#Initialization
moduleResult = []
verbose = False
resultDict = {}
strMatches = ""
#Read arguments
if 'verbose' in args:
verbose = True
#Populate static metadata
resultDict['Disposition_File'] = config.yaradispositionrules
resultDict['Result'] = "Disposition Not Initialized"
#Get scanObject uID for flag_rollup and rollup flags
myUID = get_scanObjectUID(scanObject)
flag_rollup = self._rollupToMe(result, myUID )
resultDict['Input_Flags'] = flag_rollup
if verbose: log_module("MSG", self.module_name, 0, scanObject, result, msg="dispositon_email: flag rollup: %s" % flag_rollup)
try:
matches = yara_on_demand(config.yaradispositionrules, ' '.join(flag_rollup))
lstStrMatches = [str(match) for match in matches]
resultDict['Matches'] = lstStrMatches
if matches:
strMatches = ' '.join(lstStrMatches)
except SyntaxError:
log_module_error(self.module_name, scanObject, result, "Error Compiling YARA rules file at: "+config.yaradispositionrules)
resultDict['Result'] = "YARA RULE SYNTAX ERROR"
resultDict['Result'] = "Accept"
for match in resultDict['Matches']:
if match.startswith("Deny"):
resultDict['Result'] = "Deny"
scanObject.addMetadata(self.module_name, 'Disposition', resultDict)
return moduleResult
def run(self, scanObject, result, depth, args):
"""Wrapper method around _run for error handling"""
moduleLoggingBool = config.modulelogging
try:
starttime = time.time()
if moduleLoggingBool:
log_module("START", self.module_name, 0, scanObject, result)
# Get a configured timeout
timeout_seconds = int(get_option(args, 'module_timeout', 'global_module_timeout', 3600))
with timeout(timeout_seconds, exception=GlobalModuleTimeoutError):
moduleResult = self._run(scanObject, result, depth, args)
if moduleLoggingBool:
log_module("END", self.module_name, time.time() - starttime, scanObject, result)
if type(moduleResult) is not list:
msg = "%s returned an object with type %s. Only lists are allowed! Skipping this result." % (self.module_name, type(moduleResult))
logging.debug(msg)
if moduleLoggingBool:
log_module_error(self.module_name,
scanObject,
result,
msg)
return []
return moduleResult
except GlobalScanTimeoutError:
raise
except GlobalModuleTimeoutError:
# If the _module times out, add a flag and continue as a normal error
scanObject.addFlag("dispatch:err:module_timeout:%s" % self.module_name)
exc_type, exc_value, exc_traceback = sys.exc_info()
logging.exception("error on %s running _module %s. exception details below: ",
get_scanObjectUID(getRootObject(result)), self.module_name)
if moduleLoggingBool:
log_module_error(self.module_name,
scanObject,
result,
repr(traceback.format_exception(exc_type,
exc_value,
exc_traceback)))
return []
except QuitScanException:
# If the _module is terminated early, add a flag and proceed the exception up the stack
scanObject.addFlag("dispatch:err:quit_scan")
logging.warning("quitting scan while running _module %s", self.module_name)
raise
except Exception:
exc_type, exc_value, exc_traceback = sys.exc_info()
logging.exception("error on %s running _module %s. exception details below: ",
get_scanObjectUID(getRootObject(result)), self.module_name)
if moduleLoggingBool:
log_module_error(self.module_name,
scanObject,
result,
repr(traceback.format_exception(exc_type,
exc_value,
exc_traceback)))
return []
def _run(self, scanObject, result, depth, args):
moduleResult = []
flags = []
buffer = scanObject.buffer
cert = None
try:
#scanObject.addMetadata(self.module_name, key, value)
#simple check for PEM or DER
if buffer[:1] == "0":
format = M2Crypto.X509.FORMAT_DER
else:
format = M2Crypto.X509.FORMAT_PEM
cert = M2Crypto.X509.load_cert_string(buffer, format=format)
#serial_number
#print "serial_number: %x" % cert.get_serial_number()
serial_number = "%x" % cert.get_serial_number()
scanObject.addMetadata(self.module_name, "serial_number",
serial_number)
#fingerprint
#print "fingerprint: "+str(cert.get_fingerprint())
scanObject.addMetadata(self.module_name, "fingerprint",
str(cert.get_fingerprint()))
#version
#print "version: "+str(cert.get_version())
scanObject.addMetadata(self.module_name, "version",
cert.get_version())
#subject
subject = self._parseDN(cert.get_subject())
scanObject.addMetadata(self.module_name, "subject", subject)
#issuer
issuer = self._parseDN(cert.get_issuer())
scanObject.addMetadata(self.module_name, "issuer", issuer)
#validity dates
scanObject.addMetadata(self.module_name, "not_before",
str(cert.get_not_before()))
scanObject.addMetadata(self.module_name, "not_after",
str(cert.get_not_after()))
#string complete subject and issuers
scanObject.addMetadata(self.module_name, "subject_string",
str(cert.get_subject()))
scanObject.addMetadata(self.module_name, "issuer_string",
str(cert.get_issuer()))
if str(cert.get_issuer()) == str(cert.get_subject()):
scanObject.addFlag("x509:nfo:self_signed_cert")
start = datetime.datetime.strptime(str(cert.get_not_before()),
"%b %d %H:%M:%S %Y %Z")
end = datetime.datetime.strptime(str(cert.get_not_after()),
"%b %d %H:%M:%S %Y %Z")
dur = end - start
scanObject.addMetadata(self.module_name, "duration", dur.days)
extensions = {}
for i in range(cert.get_ext_count()):
extensions[str(cert.get_ext_at(i).get_name())] = str(
cert.get_ext_at(i).get_value()).strip()
scanObject.addMetadata(self.module_name, "extensions", extensions)
except (QuitScanException, GlobalScanTimeoutError,
GlobalModuleTimeoutError):
raise
except:
exc_type, exc_value, exc_traceback = sys.exc_info()
logging.exception("Error parsing cert in " +
str(get_scanObjectUID(getRootObject(result))))
ugly_error_string = str(exc_value)
nicer_error_string = string.split(
string.split(ugly_error_string, ":")[4])[0]
scanObject.addFlag("x509:err:" + nicer_error_string)
return moduleResult
def run(self, scanObject, result, depth, args):
'''Wrapper method around _run for error handling'''
moduleLoggingBool = config.modulelogging
try:
starttime = time.time()
if moduleLoggingBool:
log_module("START", self.module_name, 0, scanObject, result)
# Get a configured timeout
timeout_seconds = int(get_option(args, 'module_timeout', 'global_module_timeout', 3600))
with timeout(timeout_seconds, exception=GlobalModuleTimeoutError):
moduleResult = self._run(scanObject, result, depth, args)
if moduleLoggingBool:
log_module("END", self.module_name, time.time() - starttime, scanObject, result)
if type(moduleResult) is not list:
msg = "%s returned an object with type %s. Only lists are allowed! Skipping this result." % (self.module_name, type(moduleResult))
logging.debug(msg)
if moduleLoggingBool:
log_module_error(self.module_name,
scanObject,
result,
msg)
return []
return moduleResult
except GlobalScanTimeoutError:
raise
except GlobalModuleTimeoutError:
# If the module times out, add a flag and continue as a normal error
scanObject.addFlag("dispatch:err:module_timeout:%s" % self.module_name)
exc_type, exc_value, exc_traceback = sys.exc_info()
logging.exception("error on %s running module %s. exception details below: ",
get_scanObjectUID(getRootObject(result)), self.module_name)
if moduleLoggingBool:
log_module_error(self.module_name,
scanObject,
result,
repr(traceback.format_exception(exc_type,
exc_value,
exc_traceback)))
return []
except QuitScanException:
# If the module is terminated early, add a flag and proceed the exception up the stack
scanObject.addFlag("dispatch:err:quit_scan")
logging.warn("quitting scan while running module %s", self.module_name)
raise
except Exception:
exc_type, exc_value, exc_traceback = sys.exc_info()
logging.exception("error on %s running module %s. exception details below: ",
get_scanObjectUID(getRootObject(result)), self.module_name)
if moduleLoggingBool:
log_module_error(self.module_name,
scanObject,
result,
repr(traceback.format_exception(exc_type,
exc_value,
exc_traceback)))
return []
def _run(self, scanObject, result, depth, args):
moduleResult = []
flags = []
buffer = scanObject.buffer
cert = None
try:
#scanObject.addMetadata(self.module_name, key, value)
#simple check for PEM or DER
if buffer[:1] == "0":
format = M2Crypto.X509.FORMAT_DER
else:
format = M2Crypto.X509.FORMAT_PEM
cert = M2Crypto.X509.load_cert_string(buffer, format=format)
#serial_number
#print "serial_number: %x" % cert.get_serial_number()
serial_number = "%x" % cert.get_serial_number()
scanObject.addMetadata(self.module_name, "serial_number", serial_number)
#fingerprint
#print "fingerprint: "+str(cert.get_fingerprint())
scanObject.addMetadata(self.module_name, "fingerprint", str(cert.get_fingerprint()))
#version
#print "version: "+str(cert.get_version())
scanObject.addMetadata(self.module_name, "version", cert.get_version())
#subject
subject = self._parseDN(cert.get_subject())
scanObject.addMetadata(self.module_name, "subject", subject)
#issuer
issuer = self._parseDN(cert.get_issuer())
scanObject.addMetadata(self.module_name, "issuer", issuer)
#validity dates
scanObject.addMetadata(self.module_name, "not_before", str(cert.get_not_before()))
scanObject.addMetadata(self.module_name, "not_after", str(cert.get_not_after()))
#string complete subject and issuers
scanObject.addMetadata(self.module_name, "subject_string", str(cert.get_subject()))
scanObject.addMetadata(self.module_name, "issuer_string", str(cert.get_issuer()))
if str(cert.get_issuer()) == str(cert.get_subject()):
scanObject.addFlag("x509:nfo:self_signed_cert")
start = datetime.datetime.strptime(str(cert.get_not_before()), "%b %d %H:%M:%S %Y %Z")
end = datetime.datetime.strptime(str(cert.get_not_after()), "%b %d %H:%M:%S %Y %Z")
dur = end - start
scanObject.addMetadata(self.module_name, "duration", dur.days)
extensions = {}
for i in range(cert.get_ext_count()):
extensions[str(cert.get_ext_at(i).get_name())] = str(cert.get_ext_at(i).get_value()).strip();
scanObject.addMetadata(self.module_name, "extensions", extensions)
except (QuitScanException, GlobalScanTimeoutError, GlobalModuleTimeoutError):
raise
except:
exc_type, exc_value, exc_traceback = sys.exc_info()
logging.exception("Error parsing cert in "+str(get_scanObjectUID(getRootObject(result))))
ugly_error_string = str(exc_value)
nicer_error_string = string.split(string.split(ugly_error_string,":")[4])[0]
scanObject.addFlag("x509:err:"+nicer_error_string)
return moduleResult