def test_hash_file(self):
filepath = Files.temp_put("hehe")
assert Files.md5_file(filepath) == "529ca8050a00180790cf88b63468826a"
assert Files.sha1_file(
filepath) == "42525bb6d3b0dc06bb78ae548733e8fbb55446b3"
assert Files.sha256_file(
filepath
) == "0ebe2eca800cf7bd9d9d9f9f4aafbc0c77ae155f43bbbeca69cb256a24c7f9bb"
def run(self):
"""Runs IRMA processing
@return: full IRMA report.
"""
self.key = "irma"
""" Fall off if we don't deal with files """
if self.results.get("info", {}).get("category") != "file":
log.debug("IRMA supports only file scanning !")
return {}
self.url = self.options.get("url")
self.timeout = int(self.options.get("timeout", 60))
self.scan = int(self.options.get("scan", 0))
self.force = int(self.options.get("force", 0))
sha256 = Files.sha256_file(self.file_path)
results = self._get_results(sha256)
if not self.force and not self.scan and not results:
return {}
elif self.force or (not results and self.scan):
log.info("File scan requested: %s", sha256)
self._scan_file(self.file_path, self.force)
results = self._get_results(sha256) or {}
""" FIXME! could use a proper fix here
that probably needs changes on IRMA side aswell
--
related to https://github.com/elastic/elasticsearch/issues/15377
entropy value is sometimes 0 and sometimes like 0.10191042566270775
other issue is that results type changes between string and object :/
"""
for idx, result in enumerate(results["probe_results"]):
if result["name"] == "PE Static Analyzer":
log.debug("Ignoring PE results at index {0}".format(idx))
results["probe_results"][idx]["results"] = "... scrapped ..."
""" When VT results comes back with 'detected by 0/58' then it gets
cached as malicious with signature due to the fact that the result
exists. This is a workaround to override that tragedy and make it
compatible with other results.
"""
if result["name"] == "VirusTotal" \
and results["probe_results"][idx]["results"].startswith("detected by 0/"):
log.debug("Fixing empty match from VT")
results["probe_results"][idx]["status"] = 0
results["probe_results"][idx]["results"] = None
return results
def run(self):
"""Runs IRMA processing
@return: full IRMA report.
"""
self.key = "irma"
""" Fall off if we don't deal with files """
if self.results.get("info", {}).get("category") != "file":
log.debug("IRMA supports only file scanning !")
return {}
self.url = self.options.get("url")
self.timeout = int(self.options.get("timeout", 60))
self.scan = int(self.options.get("scan", 0))
self.force = int(self.options.get("force", 0))
sha256 = Files.sha256_file(self.file_path)
results = self._get_results(sha256)
if not self.force and not self.scan and not results:
return {}
elif self.force or (not results and self.scan):
log.info("File scan requested: %s", sha256)
self._scan_file(self.file_path, self.force)
results = self._get_results(sha256) or {}
""" FIXME! could use a proper fix here
that probably needs changes on IRMA side aswell
--
related to https://github.com/elastic/elasticsearch/issues/15377
entropy value is sometimes 0 and sometimes like 0.10191042566270775
other issue is that results type changes between string and object :/
"""
for idx, result in enumerate(results["probe_results"]):
if result["name"] == "PE Static Analyzer":
log.debug("Ignoring PE results at index {0}".format(idx))
results["probe_results"][idx]["results"] = "... scrapped ..."
return results
def run(self):
"""Runs IRMA processing
@return: full IRMA report.
"""
self.key = "irma"
""" Fall off if we don't deal with files """
if self.results.get("info", {}).get("category") != "file":
log.debug("IRMA supports only file scanning !")
return {}
self.url = self.options.get("url")
self.timeout = int(self.options.get("timeout", 60))
self.scan = int(self.options.get("scan", 0))
self.force = int(self.options.get("force", 0))
sha256 = Files.sha256_file(self.file_path)
results = self._get_results(sha256)
if not self.force and not self.scan and not results:
return {}
elif self.force or (not results and self.scan):
log.info("File scan requested: %s", sha256)
self._scan_file(self.file_path, self.force)
results = self._get_results(sha256) or {}
""" FIXME! could use a proper fix here
that probably needs changes on IRMA side aswell
--
related to https://github.com/elastic/elasticsearch/issues/15377
entropy value is sometimes 0 and sometimes like 0.10191042566270775
other issue is that results type changes between string and object :/
"""
for idx, result in enumerate(results["probe_results"]):
if result["name"] == "PE Static Analyzer":
log.debug("Ignoring PE results at index {0}".format(idx))
results["probe_results"][idx]["results"] = "... scrapped ..."
return results
def test_hash_file(self):
filepath = Files.temp_put("hehe", "/tmp")
assert Files.md5_file(filepath) == "529ca8050a00180790cf88b63468826a"
assert Files.sha1_file(filepath) == "42525bb6d3b0dc06bb78ae548733e8fbb55446b3"
assert Files.sha256_file(filepath) == "0ebe2eca800cf7bd9d9d9f9f4aafbc0c77ae155f43bbbeca69cb256a24c7f9bb"