async def scan(self, guid, artifact_type, content, metadata, chain):
"""Scan an artifact with Yara.
Args:
guid (str): GUID of the bounty under analysis, use to track artifacts in the same bounty
artifact_type (ArtifactType): Artifact type for the bounty being scanned
content (bytes): Content of the artifact to be scan
metadata (dict) Dict of metadata for the artifact
chain (str): Chain we are operating on
Returns:
ScanResult: Result of this scan
"""
matches = self.rules.match(data=content)
sysname, _, _, _, machine = os.uname()
metadata = Verdict().set_scanner(operating_system=sysname,
architecture=machine,
vendor_version=yara.__version__)
if matches:
# author responsible for distilling multiple metadata values into a value for ScanResult
metadata.set_malware_family(matches[0].rule)
return ScanResult(bit=True, verdict=True, metadata=metadata.json())
metadata.set_malware_family('')
return ScanResult(bit=True, verdict=False, metadata=metadata.json())
def test_empty_verdict():
# arrange
verdict = Verdict()
# act
# assert
with pytest.raises(ValueError):
verdict.json()
async def scan(self, guid, artifact_type, content, metadata, chain):
"""Scan an artifact with ClamAV
Args:
guid (str): GUID of the bounty under analysis, use to track artifacts in the same bounty
artifact_type (ArtifactType): Artifact type for the bounty being scanned
content (bytes): Content of the artifact to be scan
metadata (dict) Dict of metadata for the artifact
chain (str): Chain we are operating on
Returns:
ScanResult: Result of this scan
"""
result = await self.clamd.instream(BytesIO(content))
stream_result = result.get('stream', [])
vendor = await self.clamd.version()
metadata = Verdict().set_scanner(operating_system=platform.system(),
architecture=platform.machine(),
vendor_version=vendor.strip('\n'))
if len(stream_result) >= 2 and stream_result[0] == 'FOUND':
metadata.set_malware_family(stream_result[1].strip('\n'))
return ScanResult(bit=True,
verdict=True,
confidence=1.0,
metadata=metadata.json())
metadata.set_malware_family('')
return ScanResult(bit=True, verdict=False, metadata=metadata.json())
def test_validate_ip_invalid():
# arrange
verdict = Verdict()
# assert
with pytest.raises(ValueError):
# act
verdict.add_ip_address('asdf')
verdict.json()
def test_validate_extra_object():
# arrange
verdict = Verdict().set_malware_family("Eicar")
# act
verdict.add_extra("new_key", {"other_key": "string_value"})
# assert
assert Verdict.validate(json.loads(verdict.json()))
def test_validate_ip():
# arrange
verdict = Verdict().set_malware_family("Eicar")
# act
verdict.add_ip_address('192.168.0.1')
# assert
assert Verdict.validate(json.loads(verdict.json()))
def test_validate_domains():
# arrange
verdict = Verdict().set_malware_family("Eicar")
# act
verdict.add_domain('polyswarm.io')
# assert
assert Verdict.validate(json.loads(verdict.json()))
def test_validate_two_domains_at_once():
# arrange
verdict = Verdict().set_malware_family("Eicar")
# act
verdict.add_domains(['polyswarm.io', 'polyswarm.network'])
# assert
assert Verdict.validate(json.loads(verdict.json()))
def test_validate_two_ip_at_once():
# arrange
verdict = Verdict().set_malware_family("Eicar")
# act
verdict.add_ip_addresses(['192.168.0.1', '8.8.8.8'])
# assert
assert Verdict.validate(json.loads(verdict.json()))
def test_validate_with_family():
# arrange
verdict = Verdict()
verdict.set_malware_family("Eicar")
# assert
blob = verdict.json()
# act
assert Verdict.validate(json.loads(blob))
def test_validate_two_extra_at_once():
# arrange
verdict = Verdict().set_malware_family("Eicar")
# act
verdict.add_extras([("new_key", "string_value"),
("new_key1", {
"other_key": "string_value"
})])
# assert
assert Verdict.validate(json.loads(verdict.json()))
def test_scanner_null_environemnt():
# arrange
verdict = Verdict().set_malware_family("Eicar")
# act
verdict.set_scanner(version="1.0.0",
polyswarmclient_version="2.0.2",
signatures_version="2019",
vendor_version="1.0.0")
# assert
Verdict.validate(json.loads(verdict.json()))
def test_scanner_no_vendor_version():
# arrange
verdict = Verdict().set_malware_family("Eicar")
# act
verdict.set_scanner(operating_system="windows",
architecture="x86",
version="1.0.0",
polyswarmclient_version="2.0.2",
signatures_version="2019")
# assert
Verdict.validate(json.loads(verdict.json()))
def test_validate_stix_object():
# arrange
verdict = Verdict().set_malware_family("Eicar")
# act
verdict.add_stix_signature(
'oasis-open/cti-stix2-json-schemas/master/schemas/common/kill-chain-phase.json',
{
"kill_chain_name": 'asdf',
"phase_name": "full"
})
# assert
assert Verdict.validate(json.loads(verdict.json()))
def scan_sync(self, guid, artifact_type, content, metadata, chain):
"""Scan an artifact
Args:
guid (str): GUID of the bounty under analysis, use to track artifacts in the same bounty
artifact_type (ArtifactType): Artifact type for the bounty being scanned
content (bytes): Content of the artifact to be scan
metadata (dict) Dict of metadata for the artifact
chain (str): Chain we are operating on
Returns:
ScanResult: Result of this scan
"""
metadata = Verdict().set_scanner(operating_system=self.system,
architecture=self.machine)
if isinstance(content, str):
content = content.encode()
if EICAR in content:
metadata.set_malware_family('Eicar Test File')
return ScanResult(bit=True, verdict=True, metadata=metadata.json())
metadata.set_malware_family('')
return ScanResult(bit=True, verdict=False, metadata=metadata.json())
def test_scanner_invalid_psc_version():
# arrange
verdict = Verdict().set_malware_family("Eicar")
# assert
with pytest.raises(ValueError):
# act
verdict.set_scanner(operating_system="windows",
architecture="x86",
version="1.0.0",
polyswarmclient_version="asdf",
signatures_version="2019",
vendor_version="1.0.0")
Verdict.validate(json.loads(verdict.json()))
def test_validate_all_output():
# arrange
verdict = Verdict().set_malware_family("Eicar")\
.add_domain('polyswarm.io')\
.add_ip_address('192.168.0.1')\
.add_stix_signature(
'oasis-open/cti-stix2-json-schemas/master/schemas/common/hex.json',
"a0"
) \
.set_scanner(operating_system="windows", architecture="x86", version="1.0.0", polyswarmclient_version="2.0.2",
signatures_version="2019", vendor_version="1.0.0")\
.add_extra("new_key", {"other_key": "string_value"})\
.add_extra("new_key1", ["string_value"])\
.add_extra("new_key2", "string_value")
result = {
"malware_family":
"Eicar",
"domains": ["polyswarm.io"],
"ip_addresses": ["192.168.0.1"],
"stix": [{
"schema":
"oasis-open/cti-stix2-json-schemas/master/schemas/common/hex.json",
"signature": "a0"
}],
"scanner": {
"version": "1.0.0",
"polyswarmclient_version": "2.0.2",
"signatures_version": "2019",
"vendor_version": "1.0.0",
"environment": {
"operating_system": "windows",
"architecture": "x86"
}
},
"new_key": {
"other_key": "string_value",
},
"new_key1": ["string_value"],
"new_key2":
"string_value"
}
# act
blob = json.loads(verdict.json())
# assert
assert Verdict.validate(blob)
assert blob == result
def scan_metadata(request):
if request.param is None:
return None
as_json, family = request.param
v = Verdict().set_malware_family(family)
return v.json() if as_json else v
def test_validate_no_familty():
# arrange
verdict = Verdict()
# assert
with pytest.raises(ValueError):
verdict.json()