class SignatureMock(Signature): name = "mock" minimum = CUCKOO_VERSION.split("-")[0] maximum = CUCKOO_VERSION.split("-")[0] def run(self, results): if "foo" in results: return True else: return False
def _run_signature(self, signature, results): """Run a signature. @param signature: signature to run. @param signs: signature results dict. @return: matched signature. """ current = signature() log.debug("Running signature \"%s\"" % current.name) if not current.enabled: return None version = CUCKOO_VERSION.split("-")[0] if current.minimum: try: if StrictVersion(version) < StrictVersion( current.minimum.split("-")[0]): log.debug( "You are running an older incompatible version of Cuckoo, the signature \"%s\" requires minimum version %s" % (current.name, current.minimum)) return None except ValueError: log.debug("Wrong minor version number in signature %s" % current.name) return None if current.maximum: try: if StrictVersion(version) > StrictVersion( current.maximum.split("-")[0]): log.debug( "You are running a newer incompatible version of Cuckoo, the signature \"%s\" requires maximum version %s" % (current.name, current.maximum)) return None except ValueError: log.debug("Wrong major version number in signature %s" % current.name) return None try: if current.run(copy.deepcopy(results)): matched = { "name": current.name, "description": current.description, "severity": current.severity, "references": current.references, "data": current.data, "alert": current.alert } log.debug("Analysis at \"%s\" matched signature \"%s\"" % (self.analysis_path, current.name)) return matched except NotImplementedError: log.debug("The signature \"%s\" is not correctly implemented" % current.name) except Exception as e: log.exception("Failed to run signature \"%s\":" % (current.name)) return None
def _check_signature_version(self, current): """Check signature version. @param current: signature class/instance to check. @return: check result. """ # Since signatures can hardcode some values or checks that might # become obsolete in future versions or that might already be obsolete, # I need to match its requirements with the running version of Cuckoo. version = CUCKOO_VERSION.split("-")[0] # If provided, check the minimum working Cuckoo version for this # signature. if current.minimum: try: # If the running Cuckoo is older than the required minimum # version, skip this signature. if StrictVersion(version) < StrictVersion(current.minimum.split("-")[0]): log.debug( "You are running an older incompatible version " 'of Cuckoo, the signature "%s" requires ' "minimum version %s", current.name, current.minimum, ) return None if StrictVersion("1.2") > StrictVersion(current.minimum.split("-")[0]): log.warn( "Cuckoo signature style has been redesigned in " "cuckoo 1.2. This signature is not " "compatible: %s.", current.name, ) return None except ValueError: log.debug("Wrong minor version number in signature %s", current.name) return None # If provided, check the maximum working Cuckoo version for this # signature. if current.maximum: try: # If the running Cuckoo is newer than the required maximum # version, skip this signature. if StrictVersion(version) > StrictVersion(current.maximum.split("-")[0]): log.debug( "You are running a newer incompatible version " 'of Cuckoo, the signature "%s" requires ' "maximum version %s", current.name, current.maximum, ) return None except ValueError: log.debug("Wrong major version number in signature %s", current.name) return None return True
def _check_signature_version(self, current): """Check signature version. @param current: signature class/instance to check. @return: check result. """ # Since signatures can hardcode some values or checks that might # become obsolete in future versions or that might already be obsolete, # I need to match its requirements with the running version of Cuckoo. version = CUCKOO_VERSION.split("-")[0] # If provided, check the minimum working Cuckoo version for this # signature. if current.minimum: try: # If the running Cuckoo is older than the required minimum # version, skip this signature. if StrictVersion(version) < StrictVersion( current.minimum.split("-")[0]): log.debug( "You are running an older incompatible version " "of Cuckoo, the signature \"%s\" requires " "minimum version %s", current.name, current.minimum) return None if StrictVersion("1.2") > StrictVersion( current.minimum.split("-")[0]): log.warn( "Cuckoo signature style has been redesigned in " "cuckoo 1.2. This signature is not " "compatible: %s.", current.name) return None except ValueError: log.debug("Wrong minor version number in signature %s", current.name) return None # If provided, check the maximum working Cuckoo version for this # signature. if current.maximum: try: # If the running Cuckoo is newer than the required maximum # version, skip this signature. if StrictVersion(version) > StrictVersion( current.maximum.split("-")[0]): log.debug( "You are running a newer incompatible version " "of Cuckoo, the signature \"%s\" requires " "maximum version %s", current.name, current.maximum) return None except ValueError: log.debug("Wrong major version number in signature %s", current.name) return None return True
def __init__(self, results): self.results = results self.matched = [] # While developing our version is generally something along the lines # of "2.0-dev" whereas StrictVersion() does not handle "-dev", so we # strip that part off. self.version = CUCKOO_VERSION.split("-")[0] # Gather all enabled, up-to-date, and applicable signatures. self.signatures = [] for signature in list_plugins(group="signatures"): if self._should_enable_signature(signature): self.signatures.append(signature(self))
def _run_signature(self, signature, results): """Run a signature. @param signature: signature to run. @param signs: signature results dict. @return: matched signature. """ current = signature() log.debug("Running signature \"%s\"" % current.name) if not current.enabled: return None version = CUCKOO_VERSION.split("-")[0] if current.minimum: try: if StrictVersion(version) < StrictVersion(current.minimum.split("-")[0]): log.debug("You are running an older incompatible version of Cuckoo, the signature \"%s\" requires minimum version %s" % (current.name, current.minimum)) return None except ValueError: log.debug("Wrong minor version number in signature %s" % current.name) return None if current.maximum: try: if StrictVersion(version) > StrictVersion(current.maximum.split("-")[0]): log.debug("You are running a newer incompatible version of Cuckoo, the signature \"%s\" requires maximum version %s" % (current.name, current.maximum)) return None except ValueError: log.debug("Wrong major version number in signature %s" % current.name) return None try: if current.run(copy.deepcopy(results)): matched = {"name" : current.name, "description" : current.description, "severity" : current.severity, "references" : current.references, "data" : current.data, "alert" : current.alert} log.debug("Analysis at \"%s\" matched signature \"%s\"" % (self.analysis_path, current.name)) return matched except NotImplementedError: log.debug("The signature \"%s\" is not correctly implemented" % current.name) except Exception as e: log.exception("Failed to run signature \"%s\":" % (current.name)) return None
def check_version(): """Checks version of Cuckoo.""" cfg = Config() if not cfg.cuckoo.version_check: return print(" Checking for updates...") url = "http://api.cuckoosandbox.org/checkversion.php" data = urllib.urlencode({"version": CUCKOO_VERSION}) try: request = urllib2.Request(url, data) response = urllib2.urlopen(request) except (urllib2.URLError, urllib2.HTTPError, httplib.BadStatusLine): print(red(" Failed! ") + "Unable to establish connection.\n") return try: response_data = json.loads(response.read()) except ValueError: print(red(" Failed! ") + "Invalid response.\n") return stable_version = response_data["current"] if CUCKOO_VERSION.endswith("-dev"): print( yellow( " You are running a development version! Current stable is {}." .format(stable_version))) else: if LooseVersion(CUCKOO_VERSION) < LooseVersion(stable_version): msg = "Cuckoo Sandbox version {} is available now.".format( stable_version) print(red(" Outdated! ") + msg) else: print( green(" Good! ") + "You have the latest version " "available.\n")
def check_version(): """Checks version of Cuckoo.""" cfg = Config() if not cfg.cuckoo.version_check: return print(" Checking for updates...") url = "http://api.cuckoosandbox.org/checkversion.php" data = urllib.urlencode({"version": CUCKOO_VERSION}) try: request = urllib2.Request(url, data) response = urllib2.urlopen(request) except (urllib2.URLError, urllib2.HTTPError): print(red(" Failed! ") + "Unable to establish connection.\n") return try: response_data = json.loads(response.read()) except ValueError: print(red(" Failed! ") + "Invalid response.\n") return stable_version = response_data["current"] if CUCKOO_VERSION.endswith("-dev"): print(yellow(" You are running a development version! Current stable is {}.".format( stable_version))) else: if LooseVersion(CUCKOO_VERSION) < LooseVersion(stable_version): msg = "Cuckoo Sandbox version {} is available now.".format( stable_version) print(red(" Outdated! ") + msg) else: print(green(" Good! ") + "You have the latest version " "available.\n")
def _run_signature(self, signature, results): """Run a signature. @param signature: signature to run. @param signs: signature results dict. @return: matched signature. """ # Initialize the current signature. current = signature(LocalDict(results)) log.debug("Running signature \"%s\"" % current.name) # If the signature is disabled, skip it. if not current.enabled: return None # Since signatures can hardcode some values or checks that might # become obsolete in future versions or that might already be obsolete, # I need to match its requirements with the running version of Cuckoo. version = CUCKOO_VERSION.split("-")[0] # If provided, check the minimum working Cuckoo version for this # signature. if current.minimum: try: # If the running Cuckoo is older than the required minimum # version, skip this signature. if StrictVersion(version) < StrictVersion(current.minimum.split("-")[0]): log.debug("You are running an older incompatible version " "of Cuckoo, the signature \"%s\" requires " "minimum version %s" % (current.name, current.minimum)) return None except ValueError: log.debug("Wrong minor version number in signature %s" % current.name) return None # If provided, check the maximum working Cuckoo version for this # signature. if current.maximum: try: # If the running Cuckoo is newer than the required maximum # version, skip this signature. if StrictVersion(version) > StrictVersion(current.maximum.split("-")[0]): log.debug("You are running a newer incompatible version " "of Cuckoo, the signature \"%s\" requires " "maximum version %s" % (current.name, current.maximum)) return None except ValueError: log.debug("Wrong major version number in signature %s" % current.name) return None try: # Run the signature and if it gets matched, extract key information # from it and append it to the results container. if current.run(): matched = {"name" : current.name, "description" : current.description, "severity" : current.severity, "references" : current.references, "data" : current.data, "alert" : current.alert} log.debug("Analysis at \"%s\" matched signature \"%s\"" % (self.analysis_path, current.name)) # Return information on the matched signature. return matched except Exception as e: log.exception("Failed to run signature \"%s\":" % (current.name)) return None
def _run_signature(self, signature, results): """Run a signature. @param signature: signature to run. @param signs: signature results dict. @return: matched signature. """ # Initialize the current signature. current = signature(results) log.debug("Running signature \"%s\"", current.name) # If the signature is disabled, skip it. if not current.enabled: return None # Since signatures can hardcode some values or checks that might # become obsolete in future versions or that might already be obsolete, # I need to match its requirements with the running version of Cuckoo. version = CUCKOO_VERSION.split("-")[0] # If provided, check the minimum working Cuckoo version for this # signature. if current.minimum: try: # If the running Cuckoo is older than the required minimum # version, skip this signature. if StrictVersion(version) < StrictVersion(current.minimum.split("-")[0]): log.debug("You are running an older incompatible version " "of Cuckoo, the signature \"%s\" requires " "minimum version %s", current.name, current.minimum) return None except ValueError: log.debug("Wrong minor version number in signature %s", current.name) return None # If provided, check the maximum working Cuckoo version for this # signature. if current.maximum: try: # If the running Cuckoo is newer than the required maximum # version, skip this signature. if StrictVersion(version) > StrictVersion(current.maximum.split("-")[0]): log.debug("You are running a newer incompatible version " "of Cuckoo, the signature \"%s\" requires " "maximum version %s", current.name, current.maximum) return None except ValueError: log.debug("Wrong major version number in signature %s", current.name) return None try: # Run the signature and if it gets matched, extract key information # from it and append it to the results container. if current.run(): matched = {"name" : current.name, "description" : current.description, "severity" : current.severity, "references" : current.references, "data" : current.data, "alert" : current.alert, "families": current.families} log.debug("Analysis at \"%s\" matched signature \"%s\"", self.analysis_path, current.name) # Return information on the matched signature. return matched except Exception as e: log.exception("Failed to run signature \"%s\":", current.name) return None