class SignatureMock(Signature):
name = "mock"
minimum = CUCKOO_VERSION.split("-")[0]
maximum = CUCKOO_VERSION.split("-")[0]
def run(self, results):
if "foo" in results:
return True
else:
return False
def _run_signature(self, signature, results):
"""Run a signature.
@param signature: signature to run.
@param signs: signature results dict.
@return: matched signature.
"""
current = signature()
log.debug("Running signature \"%s\"" % current.name)
if not current.enabled:
return None
version = CUCKOO_VERSION.split("-")[0]
if current.minimum:
try:
if StrictVersion(version) < StrictVersion(
current.minimum.split("-")[0]):
log.debug(
"You are running an older incompatible version of Cuckoo, the signature \"%s\" requires minimum version %s"
% (current.name, current.minimum))
return None
except ValueError:
log.debug("Wrong minor version number in signature %s" %
current.name)
return None
if current.maximum:
try:
if StrictVersion(version) > StrictVersion(
current.maximum.split("-")[0]):
log.debug(
"You are running a newer incompatible version of Cuckoo, the signature \"%s\" requires maximum version %s"
% (current.name, current.maximum))
return None
except ValueError:
log.debug("Wrong major version number in signature %s" %
current.name)
return None
try:
if current.run(copy.deepcopy(results)):
matched = {
"name": current.name,
"description": current.description,
"severity": current.severity,
"references": current.references,
"data": current.data,
"alert": current.alert
}
log.debug("Analysis at \"%s\" matched signature \"%s\"" %
(self.analysis_path, current.name))
return matched
except NotImplementedError:
log.debug("The signature \"%s\" is not correctly implemented" %
current.name)
except Exception as e:
log.exception("Failed to run signature \"%s\":" % (current.name))
return None
def _check_signature_version(self, current):
"""Check signature version.
@param current: signature class/instance to check.
@return: check result.
"""
# Since signatures can hardcode some values or checks that might
# become obsolete in future versions or that might already be obsolete,
# I need to match its requirements with the running version of Cuckoo.
version = CUCKOO_VERSION.split("-")[0]
# If provided, check the minimum working Cuckoo version for this
# signature.
if current.minimum:
try:
# If the running Cuckoo is older than the required minimum
# version, skip this signature.
if StrictVersion(version) < StrictVersion(current.minimum.split("-")[0]):
log.debug(
"You are running an older incompatible version "
'of Cuckoo, the signature "%s" requires '
"minimum version %s",
current.name,
current.minimum,
)
return None
if StrictVersion("1.2") > StrictVersion(current.minimum.split("-")[0]):
log.warn(
"Cuckoo signature style has been redesigned in "
"cuckoo 1.2. This signature is not "
"compatible: %s.",
current.name,
)
return None
except ValueError:
log.debug("Wrong minor version number in signature %s", current.name)
return None
# If provided, check the maximum working Cuckoo version for this
# signature.
if current.maximum:
try:
# If the running Cuckoo is newer than the required maximum
# version, skip this signature.
if StrictVersion(version) > StrictVersion(current.maximum.split("-")[0]):
log.debug(
"You are running a newer incompatible version "
'of Cuckoo, the signature "%s" requires '
"maximum version %s",
current.name,
current.maximum,
)
return None
except ValueError:
log.debug("Wrong major version number in signature %s", current.name)
return None
return True
def _check_signature_version(self, current):
"""Check signature version.
@param current: signature class/instance to check.
@return: check result.
"""
# Since signatures can hardcode some values or checks that might
# become obsolete in future versions or that might already be obsolete,
# I need to match its requirements with the running version of Cuckoo.
version = CUCKOO_VERSION.split("-")[0]
# If provided, check the minimum working Cuckoo version for this
# signature.
if current.minimum:
try:
# If the running Cuckoo is older than the required minimum
# version, skip this signature.
if StrictVersion(version) < StrictVersion(
current.minimum.split("-")[0]):
log.debug(
"You are running an older incompatible version "
"of Cuckoo, the signature \"%s\" requires "
"minimum version %s", current.name, current.minimum)
return None
if StrictVersion("1.2") > StrictVersion(
current.minimum.split("-")[0]):
log.warn(
"Cuckoo signature style has been redesigned in "
"cuckoo 1.2. This signature is not "
"compatible: %s.", current.name)
return None
except ValueError:
log.debug("Wrong minor version number in signature %s",
current.name)
return None
# If provided, check the maximum working Cuckoo version for this
# signature.
if current.maximum:
try:
# If the running Cuckoo is newer than the required maximum
# version, skip this signature.
if StrictVersion(version) > StrictVersion(
current.maximum.split("-")[0]):
log.debug(
"You are running a newer incompatible version "
"of Cuckoo, the signature \"%s\" requires "
"maximum version %s", current.name, current.maximum)
return None
except ValueError:
log.debug("Wrong major version number in signature %s",
current.name)
return None
return True
def __init__(self, results):
self.results = results
self.matched = []
# While developing our version is generally something along the lines
# of "2.0-dev" whereas StrictVersion() does not handle "-dev", so we
# strip that part off.
self.version = CUCKOO_VERSION.split("-")[0]
# Gather all enabled, up-to-date, and applicable signatures.
self.signatures = []
for signature in list_plugins(group="signatures"):
if self._should_enable_signature(signature):
self.signatures.append(signature(self))
def __init__(self, results):
self.results = results
self.matched = []
# While developing our version is generally something along the lines
# of "2.0-dev" whereas StrictVersion() does not handle "-dev", so we
# strip that part off.
self.version = CUCKOO_VERSION.split("-")[0]
# Gather all enabled, up-to-date, and applicable signatures.
self.signatures = []
for signature in list_plugins(group="signatures"):
if self._should_enable_signature(signature):
self.signatures.append(signature(self))
def _run_signature(self, signature, results):
"""Run a signature.
@param signature: signature to run.
@param signs: signature results dict.
@return: matched signature.
"""
current = signature()
log.debug("Running signature \"%s\"" % current.name)
if not current.enabled:
return None
version = CUCKOO_VERSION.split("-")[0]
if current.minimum:
try:
if StrictVersion(version) < StrictVersion(current.minimum.split("-")[0]):
log.debug("You are running an older incompatible version of Cuckoo, the signature \"%s\" requires minimum version %s"
% (current.name, current.minimum))
return None
except ValueError:
log.debug("Wrong minor version number in signature %s" % current.name)
return None
if current.maximum:
try:
if StrictVersion(version) > StrictVersion(current.maximum.split("-")[0]):
log.debug("You are running a newer incompatible version of Cuckoo, the signature \"%s\" requires maximum version %s"
% (current.name, current.maximum))
return None
except ValueError:
log.debug("Wrong major version number in signature %s" % current.name)
return None
try:
if current.run(copy.deepcopy(results)):
matched = {"name" : current.name,
"description" : current.description,
"severity" : current.severity,
"references" : current.references,
"data" : current.data,
"alert" : current.alert}
log.debug("Analysis at \"%s\" matched signature \"%s\"" % (self.analysis_path, current.name))
return matched
except NotImplementedError:
log.debug("The signature \"%s\" is not correctly implemented" % current.name)
except Exception as e:
log.exception("Failed to run signature \"%s\":" % (current.name))
return None
def check_version():
"""Checks version of Cuckoo."""
cfg = Config()
if not cfg.cuckoo.version_check:
return
print(" Checking for updates...")
url = "http://api.cuckoosandbox.org/checkversion.php"
data = urllib.urlencode({"version": CUCKOO_VERSION})
try:
request = urllib2.Request(url, data)
response = urllib2.urlopen(request)
except (urllib2.URLError, urllib2.HTTPError, httplib.BadStatusLine):
print(red(" Failed! ") + "Unable to establish connection.\n")
return
try:
response_data = json.loads(response.read())
except ValueError:
print(red(" Failed! ") + "Invalid response.\n")
return
stable_version = response_data["current"]
if CUCKOO_VERSION.endswith("-dev"):
print(
yellow(
" You are running a development version! Current stable is {}."
.format(stable_version)))
else:
if LooseVersion(CUCKOO_VERSION) < LooseVersion(stable_version):
msg = "Cuckoo Sandbox version {} is available now.".format(
stable_version)
print(red(" Outdated! ") + msg)
else:
print(
green(" Good! ") + "You have the latest version "
"available.\n")
def check_version():
"""Checks version of Cuckoo."""
cfg = Config()
if not cfg.cuckoo.version_check:
return
print(" Checking for updates...")
url = "http://api.cuckoosandbox.org/checkversion.php"
data = urllib.urlencode({"version": CUCKOO_VERSION})
try:
request = urllib2.Request(url, data)
response = urllib2.urlopen(request)
except (urllib2.URLError, urllib2.HTTPError):
print(red(" Failed! ") + "Unable to establish connection.\n")
return
try:
response_data = json.loads(response.read())
except ValueError:
print(red(" Failed! ") + "Invalid response.\n")
return
stable_version = response_data["current"]
if CUCKOO_VERSION.endswith("-dev"):
print(yellow(" You are running a development version! Current stable is {}.".format(
stable_version)))
else:
if LooseVersion(CUCKOO_VERSION) < LooseVersion(stable_version):
msg = "Cuckoo Sandbox version {} is available now.".format(
stable_version)
print(red(" Outdated! ") + msg)
else:
print(green(" Good! ") + "You have the latest version "
"available.\n")
def _run_signature(self, signature, results):
"""Run a signature.
@param signature: signature to run.
@param signs: signature results dict.
@return: matched signature.
"""
# Initialize the current signature.
current = signature(LocalDict(results))
log.debug("Running signature \"%s\"" % current.name)
# If the signature is disabled, skip it.
if not current.enabled:
return None
# Since signatures can hardcode some values or checks that might
# become obsolete in future versions or that might already be obsolete,
# I need to match its requirements with the running version of Cuckoo.
version = CUCKOO_VERSION.split("-")[0]
# If provided, check the minimum working Cuckoo version for this
# signature.
if current.minimum:
try:
# If the running Cuckoo is older than the required minimum
# version, skip this signature.
if StrictVersion(version) < StrictVersion(current.minimum.split("-")[0]):
log.debug("You are running an older incompatible version "
"of Cuckoo, the signature \"%s\" requires "
"minimum version %s"
% (current.name, current.minimum))
return None
except ValueError:
log.debug("Wrong minor version number in signature %s"
% current.name)
return None
# If provided, check the maximum working Cuckoo version for this
# signature.
if current.maximum:
try:
# If the running Cuckoo is newer than the required maximum
# version, skip this signature.
if StrictVersion(version) > StrictVersion(current.maximum.split("-")[0]):
log.debug("You are running a newer incompatible version "
"of Cuckoo, the signature \"%s\" requires "
"maximum version %s"
% (current.name, current.maximum))
return None
except ValueError:
log.debug("Wrong major version number in signature %s"
% current.name)
return None
try:
# Run the signature and if it gets matched, extract key information
# from it and append it to the results container.
if current.run():
matched = {"name" : current.name,
"description" : current.description,
"severity" : current.severity,
"references" : current.references,
"data" : current.data,
"alert" : current.alert}
log.debug("Analysis at \"%s\" matched signature \"%s\""
% (self.analysis_path, current.name))
# Return information on the matched signature.
return matched
except Exception as e:
log.exception("Failed to run signature \"%s\":" % (current.name))
return None
def _run_signature(self, signature, results):
"""Run a signature.
@param signature: signature to run.
@param signs: signature results dict.
@return: matched signature.
"""
# Initialize the current signature.
current = signature(results)
log.debug("Running signature \"%s\"", current.name)
# If the signature is disabled, skip it.
if not current.enabled:
return None
# Since signatures can hardcode some values or checks that might
# become obsolete in future versions or that might already be obsolete,
# I need to match its requirements with the running version of Cuckoo.
version = CUCKOO_VERSION.split("-")[0]
# If provided, check the minimum working Cuckoo version for this
# signature.
if current.minimum:
try:
# If the running Cuckoo is older than the required minimum
# version, skip this signature.
if StrictVersion(version) < StrictVersion(current.minimum.split("-")[0]):
log.debug("You are running an older incompatible version "
"of Cuckoo, the signature \"%s\" requires "
"minimum version %s", current.name, current.minimum)
return None
except ValueError:
log.debug("Wrong minor version number in signature %s", current.name)
return None
# If provided, check the maximum working Cuckoo version for this
# signature.
if current.maximum:
try:
# If the running Cuckoo is newer than the required maximum
# version, skip this signature.
if StrictVersion(version) > StrictVersion(current.maximum.split("-")[0]):
log.debug("You are running a newer incompatible version "
"of Cuckoo, the signature \"%s\" requires "
"maximum version %s", current.name, current.maximum)
return None
except ValueError:
log.debug("Wrong major version number in signature %s", current.name)
return None
try:
# Run the signature and if it gets matched, extract key information
# from it and append it to the results container.
if current.run():
matched = {"name" : current.name,
"description" : current.description,
"severity" : current.severity,
"references" : current.references,
"data" : current.data,
"alert" : current.alert,
"families": current.families}
log.debug("Analysis at \"%s\" matched signature \"%s\"",
self.analysis_path, current.name)
# Return information on the matched signature.
return matched
except Exception as e:
log.exception("Failed to run signature \"%s\":", current.name)
return None
