コード例 #1
0
ファイル: explode_pkcs7.py プロジェクト: DG4227/laikaboss
    def _run(self, scanObject, result, depth, args):
        moduleResult = [] 

        flags = []
        

        buffer = scanObject.buffer
        cert = None
        
        try:
            #scanObject.addMetadata(self.module_name, key, value)    

            input_bio = BIO.MemoryBuffer(buffer)

            #Check for PEM or DER
            if buffer[:1] == "0":
                #DER
                p7 = SMIME.PKCS7(m2.pkcs7_read_bio_der(input_bio._ptr()), 1)
            else:
                #PEM
                p7 = SMIME.load_pkcs7_bio(input_bio)    
            
            
            certs = p7.get0_signers(X509.X509_Stack())
            
            
            #some pkcs7's should have more than one certificate in them. openssl can extract them handily.
            #openssl pkcs7 -inform der -print_certs -in MYKEY.DSA
            i=0
            for cert in certs:
                cert_filename = "%x.der" % (cert.get_serial_number())
                moduleResult.append(ModuleObject(buffer=cert.as_der(),externalVars=ExternalVars(filename=cert_filename)))
                i = i + 1
            
        except (QuitScanException, GlobalScanTimeoutError, GlobalModuleTimeoutError):
            raise
        except:
            exc_type, exc_value, exc_traceback = sys.exc_info()
            logging.exception("Error parsing cert in "+str(get_scanObjectUID(getRootObject(result))))
            
            ugly_error_string = str(exc_value)
            #nicer_error_string = string.split(string.split(ugly_error_string,":")[4])[0]
            nicer_error_string = ugly_error_string.split(":")[4].split()[0]
                        
            scanObject.addFlag("pkcs7:err:"+nicer_error_string)
            
            
       
        return moduleResult
コード例 #2
0
ファイル: explode_pkcs7.py プロジェクト: zrasmor/laikaboss
    def _run(self, scanObject, result, depth, args):
        moduleResult = []

        flags = []

        buffer = scanObject.buffer
        cert = None

        try:
            #scanObject.addMetadata(self.module_name, key, value)

            input_bio = BIO.MemoryBuffer(buffer)

            #Check for PEM or DER
            if buffer[:1] == "0":
                #DER
                p7 = SMIME.PKCS7(m2.pkcs7_read_bio_der(input_bio._ptr()), 1)
            else:
                #PEM
                p7 = SMIME.load_pkcs7_bio(input_bio)

            certs = p7.get0_signers(X509.X509_Stack())

            #some pkcs7's should have more than one certificate in them. openssl can extract them handily.
            #openssl pkcs7 -inform der -print_certs -in MYKEY.DSA
            i = 0
            for cert in certs:
                cert_filename = "%x.der" % (cert.get_serial_number())
                moduleResult.append(
                    ModuleObject(
                        buffer=cert.as_der(),
                        externalVars=ExternalVars(filename=cert_filename)))
                i = i + 1

        except (QuitScanException, GlobalScanTimeoutError,
                GlobalModuleTimeoutError):
            raise
        except:
            exc_type, exc_value, exc_traceback = sys.exc_info()
            logging.exception("Error parsing cert in " +
                              str(get_scanObjectUID(getRootObject(result))))

            ugly_error_string = str(exc_value)
            #nicer_error_string = string.split(string.split(ugly_error_string,":")[4])[0]
            nicer_error_string = ugly_error_string.split(":")[4].split()[0]

            scanObject.addFlag("pkcs7:err:" + nicer_error_string)

        return moduleResult
コード例 #3
0
    def _run(self, scanObject, result, depth, args):
        #Initialization
        moduleResult = []
        verbose = False
        resultDict = {}
        strMatches = ""

        #Read arguments
        if 'verbose' in args:
            verbose = True

        #Populate static metadata
        resultDict['Disposition_File'] = config.yaradispositionrules
        resultDict['Result'] = "Disposition Not Initialized"

        #Get scanObject uID for flag_rollup and rollup flags
        myUID = get_scanObjectUID(scanObject)
        flag_rollup = self._rollupToMe(result, myUID)
        resultDict['Input_Flags'] = flag_rollup

        if verbose:
            log_module("MSG",
                       self.module_name,
                       0,
                       scanObject,
                       result,
                       msg="dispositon_email: flag rollup: %s" % flag_rollup)
        try:
            matches = yara_on_demand(config.yaradispositionrules,
                                     ' '.join(flag_rollup))
            lstStrMatches = [str(match) for match in matches]
            resultDict['Matches'] = lstStrMatches
            if matches:
                strMatches = ' '.join(lstStrMatches)
        except SyntaxError:
            log_module_error(
                self.module_name, scanObject, result,
                "Error Compiling YARA rules file at: " +
                config.yaradispositionrules)
            resultDict['Result'] = "YARA RULE SYNTAX ERROR"

        resultDict['Result'] = "Accept"
        for match in resultDict['Matches']:
            if match.startswith("Deny"):
                resultDict['Result'] = "Deny"

        scanObject.addMetadata(self.module_name, 'Disposition', resultDict)
        return moduleResult
コード例 #4
0
ファイル: dispositioner.py プロジェクト: jurg/laikaboss
 def _run(self, scanObject, result, depth, args):
     #Initialization
     moduleResult = [] 
     verbose = False
     resultDict = {}
     strMatches = ""
     
     #Read arguments
     if 'verbose' in args:
         verbose = True 
     
     #Populate static metadata
     resultDict['Disposition_File'] = config.yaradispositionrules
     resultDict['Result'] = "Disposition Not Initialized"
     
     #Get scanObject uID for flag_rollup and rollup flags
     myUID = get_scanObjectUID(scanObject)
     flag_rollup = self._rollupToMe(result, myUID )
     resultDict['Input_Flags'] = flag_rollup
     
     if verbose: log_module("MSG", self.module_name, 0, scanObject, result, msg="dispositon_email: flag rollup: %s" % flag_rollup)
     try:
         matches = yara_on_demand(config.yaradispositionrules, ' '.join(flag_rollup))
         lstStrMatches = [str(match) for match in matches]
         resultDict['Matches'] = lstStrMatches
         if matches:
             strMatches = ' '.join(lstStrMatches)
     except SyntaxError:
         log_module_error(self.module_name, scanObject, result, "Error Compiling YARA rules file at: "+config.yaradispositionrules)
         resultDict['Result'] = "YARA RULE SYNTAX ERROR"
     
     resultDict['Result'] = "Accept"
     for match in resultDict['Matches']:
         if match.startswith("Deny"):
             resultDict['Result'] = "Deny"
             
             
         
     scanObject.addMetadata(self.module_name, 'Disposition', resultDict)
     return moduleResult
コード例 #5
0
ファイル: si_module.py プロジェクト: wroersma/laikaboss
    def run(self, scanObject, result, depth, args):
        """Wrapper method around _run for error handling"""
        moduleLoggingBool = config.modulelogging
        try:
            starttime = time.time()
            if moduleLoggingBool:
                log_module("START", self.module_name, 0, scanObject, result) 

            # Get a configured timeout
            timeout_seconds = int(get_option(args, 'module_timeout', 'global_module_timeout', 3600))

            with timeout(timeout_seconds, exception=GlobalModuleTimeoutError):
                moduleResult = self._run(scanObject, result, depth, args)

            if moduleLoggingBool:
                log_module("END", self.module_name, time.time() - starttime, scanObject, result) 
            if type(moduleResult) is not list:
                msg = "%s returned an object with type %s. Only lists are allowed! Skipping this result." % (self.module_name, type(moduleResult))
                logging.debug(msg)
                if moduleLoggingBool:
                    log_module_error(self.module_name,
                                     scanObject,
                                     result,
                                     msg)
                return []

            return moduleResult 

        except GlobalScanTimeoutError:
            raise
        except GlobalModuleTimeoutError:
            # If the _module times out, add a flag and continue as a normal error
            scanObject.addFlag("dispatch:err:module_timeout:%s" % self.module_name)

            exc_type, exc_value, exc_traceback = sys.exc_info()
            logging.exception("error on %s running _module %s. exception details below: ",
                get_scanObjectUID(getRootObject(result)), self.module_name)

            if moduleLoggingBool:
                log_module_error(self.module_name,
                                 scanObject,
                                 result,
                                 repr(traceback.format_exception(exc_type, 
                                                                 exc_value, 
                                                                 exc_traceback)))
            return []

        except QuitScanException:
            # If the _module is terminated early, add a flag and proceed the exception up the stack
            scanObject.addFlag("dispatch:err:quit_scan")
            logging.warning("quitting scan while running _module %s", self.module_name)
            raise

        except Exception:
            exc_type, exc_value, exc_traceback = sys.exc_info()
            logging.exception("error on %s running _module %s. exception details below: ",
                get_scanObjectUID(getRootObject(result)), self.module_name)

            if moduleLoggingBool:
                log_module_error(self.module_name,
                                 scanObject,
                                 result,
                                 repr(traceback.format_exception(exc_type, 
                                                                 exc_value, 
                                                                 exc_traceback)))
            return [] 
コード例 #6
0
ファイル: meta_x509.py プロジェクト: zrasmor/laikaboss
    def _run(self, scanObject, result, depth, args):
        moduleResult = []

        flags = []

        buffer = scanObject.buffer
        cert = None

        try:
            #scanObject.addMetadata(self.module_name, key, value)

            #simple check for PEM or DER
            if buffer[:1] == "0":
                format = M2Crypto.X509.FORMAT_DER
            else:
                format = M2Crypto.X509.FORMAT_PEM

            cert = M2Crypto.X509.load_cert_string(buffer, format=format)

            #serial_number
            #print "serial_number: %x" % cert.get_serial_number()
            serial_number = "%x" % cert.get_serial_number()
            scanObject.addMetadata(self.module_name, "serial_number",
                                   serial_number)

            #fingerprint
            #print "fingerprint: "+str(cert.get_fingerprint())
            scanObject.addMetadata(self.module_name, "fingerprint",
                                   str(cert.get_fingerprint()))

            #version
            #print "version: "+str(cert.get_version())
            scanObject.addMetadata(self.module_name, "version",
                                   cert.get_version())

            #subject
            subject = self._parseDN(cert.get_subject())
            scanObject.addMetadata(self.module_name, "subject", subject)

            #issuer
            issuer = self._parseDN(cert.get_issuer())
            scanObject.addMetadata(self.module_name, "issuer", issuer)

            #validity dates
            scanObject.addMetadata(self.module_name, "not_before",
                                   str(cert.get_not_before()))
            scanObject.addMetadata(self.module_name, "not_after",
                                   str(cert.get_not_after()))

            #string complete subject and issuers
            scanObject.addMetadata(self.module_name, "subject_string",
                                   str(cert.get_subject()))
            scanObject.addMetadata(self.module_name, "issuer_string",
                                   str(cert.get_issuer()))

            if str(cert.get_issuer()) == str(cert.get_subject()):
                scanObject.addFlag("x509:nfo:self_signed_cert")

            start = datetime.datetime.strptime(str(cert.get_not_before()),
                                               "%b %d %H:%M:%S %Y %Z")
            end = datetime.datetime.strptime(str(cert.get_not_after()),
                                             "%b %d %H:%M:%S %Y %Z")
            dur = end - start
            scanObject.addMetadata(self.module_name, "duration", dur.days)

            extensions = {}
            for i in range(cert.get_ext_count()):
                extensions[str(cert.get_ext_at(i).get_name())] = str(
                    cert.get_ext_at(i).get_value()).strip()

            scanObject.addMetadata(self.module_name, "extensions", extensions)

        except (QuitScanException, GlobalScanTimeoutError,
                GlobalModuleTimeoutError):
            raise
        except:
            exc_type, exc_value, exc_traceback = sys.exc_info()
            logging.exception("Error parsing cert in " +
                              str(get_scanObjectUID(getRootObject(result))))

            ugly_error_string = str(exc_value)
            nicer_error_string = string.split(
                string.split(ugly_error_string, ":")[4])[0]

            scanObject.addFlag("x509:err:" + nicer_error_string)

        return moduleResult
コード例 #7
0
ファイル: si_module.py プロジェクト: DG4227/laikaboss
    def run(self, scanObject, result, depth, args):
        '''Wrapper method around _run for error handling'''
        moduleLoggingBool = config.modulelogging
        try:
            starttime = time.time()
            if moduleLoggingBool:
                log_module("START", self.module_name, 0, scanObject, result) 

            # Get a configured timeout
            timeout_seconds = int(get_option(args, 'module_timeout', 'global_module_timeout', 3600))

            with timeout(timeout_seconds, exception=GlobalModuleTimeoutError):
                moduleResult = self._run(scanObject, result, depth, args)

            if moduleLoggingBool:
                log_module("END", self.module_name, time.time() - starttime, scanObject, result) 
            if type(moduleResult) is not list:
                msg = "%s returned an object with type %s. Only lists are allowed! Skipping this result." % (self.module_name, type(moduleResult))
                logging.debug(msg)
                if moduleLoggingBool:
                    log_module_error(self.module_name,
                                     scanObject,
                                     result,
                                     msg)
                return []

            return moduleResult 

        except GlobalScanTimeoutError:
            raise
        except GlobalModuleTimeoutError:
            # If the module times out, add a flag and continue as a normal error
            scanObject.addFlag("dispatch:err:module_timeout:%s" % self.module_name)

            exc_type, exc_value, exc_traceback = sys.exc_info()
            logging.exception("error on %s running module %s. exception details below: ", 
                get_scanObjectUID(getRootObject(result)), self.module_name)

            if moduleLoggingBool:
                log_module_error(self.module_name,
                                 scanObject,
                                 result,
                                 repr(traceback.format_exception(exc_type, 
                                                                 exc_value, 
                                                                 exc_traceback)))
            return []

        except QuitScanException:
            # If the module is terminated early, add a flag and proceed the exception up the stack
            scanObject.addFlag("dispatch:err:quit_scan")
            logging.warn("quitting scan while running module %s", self.module_name)
            raise

        except Exception:
            exc_type, exc_value, exc_traceback = sys.exc_info()
            logging.exception("error on %s running module %s. exception details below: ",
                get_scanObjectUID(getRootObject(result)), self.module_name)

            if moduleLoggingBool:
                log_module_error(self.module_name,
                                 scanObject,
                                 result,
                                 repr(traceback.format_exception(exc_type, 
                                                                 exc_value, 
                                                                 exc_traceback)))
            return [] 
コード例 #8
0
ファイル: meta_x509.py プロジェクト: DG4227/laikaboss
    def _run(self, scanObject, result, depth, args):
        moduleResult = [] 

        flags = []
        
                                

        buffer = scanObject.buffer
        cert = None
        
        try:
            #scanObject.addMetadata(self.module_name, key, value)    

            #simple check for PEM or DER
            if buffer[:1] == "0":
                format =  M2Crypto.X509.FORMAT_DER
            else:
                format =  M2Crypto.X509.FORMAT_PEM
            
            
            
            cert = M2Crypto.X509.load_cert_string(buffer, format=format)

            #serial_number
            #print "serial_number: %x" % cert.get_serial_number()
            serial_number = "%x" % cert.get_serial_number()
            scanObject.addMetadata(self.module_name, "serial_number", serial_number)

            #fingerprint
            #print "fingerprint: "+str(cert.get_fingerprint())
            scanObject.addMetadata(self.module_name, "fingerprint", str(cert.get_fingerprint()))

            #version
            #print "version: "+str(cert.get_version())
            scanObject.addMetadata(self.module_name, "version", cert.get_version())
            
            #subject
            subject = self._parseDN(cert.get_subject())
            scanObject.addMetadata(self.module_name, "subject", subject)
            
            #issuer
            issuer = self._parseDN(cert.get_issuer())
            scanObject.addMetadata(self.module_name, "issuer", issuer)

            #validity dates
            scanObject.addMetadata(self.module_name, "not_before", str(cert.get_not_before()))
            scanObject.addMetadata(self.module_name, "not_after", str(cert.get_not_after()))
            
            
            #string complete subject and issuers
            scanObject.addMetadata(self.module_name, "subject_string", str(cert.get_subject()))
            scanObject.addMetadata(self.module_name, "issuer_string", str(cert.get_issuer()))
            
            
            if str(cert.get_issuer()) == str(cert.get_subject()):
                scanObject.addFlag("x509:nfo:self_signed_cert")
           
            start = datetime.datetime.strptime(str(cert.get_not_before()), "%b %d %H:%M:%S %Y %Z")
            end = datetime.datetime.strptime(str(cert.get_not_after()), "%b %d %H:%M:%S %Y %Z")
            dur = end - start
            scanObject.addMetadata(self.module_name, "duration", dur.days) 

            extensions = {}
            for i in range(cert.get_ext_count()):
                extensions[str(cert.get_ext_at(i).get_name())] = str(cert.get_ext_at(i).get_value()).strip();
            
            scanObject.addMetadata(self.module_name, "extensions", extensions)
            
        
        except (QuitScanException, GlobalScanTimeoutError, GlobalModuleTimeoutError):
            raise
        except:
            exc_type, exc_value, exc_traceback = sys.exc_info()
            logging.exception("Error parsing cert in "+str(get_scanObjectUID(getRootObject(result))))
            
            ugly_error_string = str(exc_value)
            nicer_error_string = string.split(string.split(ugly_error_string,":")[4])[0]
                        
            scanObject.addFlag("x509:err:"+nicer_error_string)
            
            
       
        return moduleResult