def _run(self, scanObject, result, depth, args):
#Initialization
moduleResult = []
verbose = False
resultDict = {}
strMatches = ""
#Read arguments
if 'verbose' in args:
verbose = True
#Populate static metadata
resultDict['Disposition_File'] = config.yaradispositionrules
resultDict['Result'] = "Disposition Not Initialized"
#Get scanObject uID for flag_rollup and rollup flags
myUID = get_scanObjectUID(scanObject)
flag_rollup = self._rollupToMe(result, myUID)
resultDict['Input_Flags'] = flag_rollup
if verbose:
log_module("MSG",
self.module_name,
0,
scanObject,
result,
msg="dispositon_email: flag rollup: %s" % flag_rollup)
try:
matches = yara_on_demand(config.yaradispositionrules,
' '.join(flag_rollup))
lstStrMatches = [str(match) for match in matches]
resultDict['Matches'] = lstStrMatches
if matches:
strMatches = ' '.join(lstStrMatches)
except SyntaxError:
log_module_error(
self.module_name, scanObject, result,
"Error Compiling YARA rules file at: " +
config.yaradispositionrules)
resultDict['Result'] = "YARA RULE SYNTAX ERROR"
resultDict['Result'] = "Accept"
for match in resultDict['Matches']:
if match.startswith("Deny"):
resultDict['Result'] = "Deny"
scanObject.addMetadata(self.module_name, 'Disposition', resultDict)
return moduleResult
def _run(self, scanObject, result, depth, args):
#Initialization
moduleResult = []
verbose = False
resultDict = {}
strMatches = ""
#Read arguments
if 'verbose' in args:
verbose = True
#Populate static metadata
resultDict['Disposition_File'] = config.yaradispositionrules
resultDict['Result'] = "Disposition Not Initialized"
#Get scanObject uID for flag_rollup and rollup flags
myUID = get_scanObjectUID(scanObject)
flag_rollup = self._rollupToMe(result, myUID )
resultDict['Input_Flags'] = flag_rollup
if verbose: log_module("MSG", self.module_name, 0, scanObject, result, msg="dispositon_email: flag rollup: %s" % flag_rollup)
try:
matches = yara_on_demand(config.yaradispositionrules, ' '.join(flag_rollup))
lstStrMatches = [str(match) for match in matches]
resultDict['Matches'] = lstStrMatches
if matches:
strMatches = ' '.join(lstStrMatches)
except SyntaxError:
log_module_error(self.module_name, scanObject, result, "Error Compiling YARA rules file at: "+config.yaradispositionrules)
resultDict['Result'] = "YARA RULE SYNTAX ERROR"
resultDict['Result'] = "Accept"
for match in resultDict['Matches']:
if match.startswith("Deny"):
resultDict['Result'] = "Deny"
scanObject.addMetadata(self.module_name, 'Disposition', resultDict)
return moduleResult
def _run(self, scanObject, result, depth, args):
moduleResult = []
maxBytes = 0
args_externalVars = []
if 'ext_vars' in args:
args_externalVars = args['ext_vars'].split(';')
# Build the external vars from other modules' input
# If the key is not in args, don't use it
externalVars = {}
tmp_externalVars = scanObject.getMetadata('SCAN_YARA', 'ExternalVars')
if tmp_externalVars:
# Due to how the framework works, ExternalVars may be a dictionary or a list of dictionaries
# If it is neither, then the _module writer did it wrong
if isinstance(tmp_externalVars, dict):
externalVars = self.getExternals(args_externalVars, tmp_externalVars)
elif isinstance(tmp_externalVars, list):
for externalVars_item in externalVars:
if isinstance(externalVars_item, dict):
externalVars.update(self.getExternals(args_externalVars, externalVars_item))
else:
externalVars = self.getExternals(args_externalVars, {})
extVars_used = scanObject.getMetadata('SCAN_YARA', 'ExternalVars Used')
# If any of the fields in externalVars have data, add to metadata for future verification/analysis
if any([externalVars[x] if externalVars[x] != 'None' else '' for x in externalVars.keys()]) \
and not extVars_used:
scanObject.addMetadata(self.module_name, 'ExternalVars Used', externalVars.keys())
# Max bytes, if set in dispatcher, allows us to truncate the buffer
if 'maxbytes' in args:
try:
maxBytes = int(args['maxbytes'])
except ValueError:
maxBytes = 0
# Check for a custom rule set in dispatcher arguments
if 'rule' in args:
if 'meta_scan' in args:
metaBuffer = self._getnested(scanObject.moduleMetadata, args['meta_scan'])
# If we can't find the desired metadata, just return.
if not isinstance(metaBuffer, str):
return moduleResult
matches = yara_on_demand(args['rule'], metaBuffer, externalVars=externalVars)
elif maxBytes and scanObject.objectSize > maxBytes:
matches = yara_on_demand(args['rule'], buffer(scanObject.buffer, 0, maxBytes), externalVars=externalVars)
else:
matches = yara_on_demand(args['rule'], scanObject.buffer, externalVars=externalVars)
# Use the default rule set
else:
if 'meta_scan' in args:
metaBuffer = self._getnested(scanObject.moduleMetadata, args['meta_scan'])
# If we can't find the desired metadata, just return.
if not isinstance(metaBuffer, str):
return moduleResult
matches = yara_on_demand(config.yarascanrules, metaBuffer, externalVars=externalVars)
elif maxBytes and scanObject.objectSize > maxBytes:
matches = yara_on_demand(config.yarascanrules, buffer(scanObject.buffer, 0, maxBytes), externalVars=externalVars)
else:
matches = yara_on_demand(config.yarascanrules, scanObject.buffer, externalVars=externalVars)
# Process results
for m in matches:
if m.meta:
scanObject.addMetadata(self.module_name, str(m), m.meta)
scanObject.addFlag("yr:%s" % str(m))
#scanObject.addFlag("s_yr::%s" % str(m)) # Placeholder for standardized flag format
return moduleResult
def _run(self, scanObject, result, depth, args):
moduleResult = []
maxBytes = 0
args_externalVars = []
if 'ext_vars' in args:
args_externalVars = args['ext_vars'].split(';')
# Build the external vars from other modules' input
# If the key is not in args, don't use it
externalVars = {}
tmp_externalVars = scanObject.getMetadata('SCAN_YARA', 'ExternalVars')
if tmp_externalVars:
# Due to how the framework works, ExternalVars may be a dictionary or a list of dictionaries
# If it is neither, then the module writer did it wrong
if isinstance(tmp_externalVars, dict):
externalVars = self.getExternals(args_externalVars, tmp_externalVars)
elif isinstance(tmp_externalVars, list):
for externalVars_item in externalVars:
if isinstance(externalVars_item, dict):
externalVars.update(self.getExternals(args_externalVars, externalVars_item))
else:
externalVars = self.getExternals(args_externalVars, {})
extVars_used = scanObject.getMetadata('SCAN_YARA', 'ExternalVars Used')
# If any of the fields in externalVars have data, add to metadata for future verification/analysis
if any([externalVars[x] if externalVars[x] != 'None' else '' for x in externalVars.keys()]) \
and not extVars_used:
scanObject.addMetadata(self.module_name, 'ExternalVars Used', externalVars.keys())
# Max bytes, if set in dispatcher, allows us to truncate the buffer
if 'maxbytes' in args:
try:
maxBytes = int(args['maxbytes'])
except ValueError:
maxBytes = 0
# Check for a custom rule set in dispatcher arguments
if 'rule' in args:
if 'meta_scan' in args:
metaBuffer = self._getnested(scanObject.moduleMetadata, args['meta_scan'])
# If we can't find the desired metadata, just return.
if not isinstance(metaBuffer, str):
return moduleResult
matches = yara_on_demand(args['rule'], metaBuffer, externalVars=externalVars)
elif maxBytes and scanObject.objectSize > maxBytes:
matches = yara_on_demand(args['rule'], buffer(scanObject.buffer, 0, maxBytes), externalVars=externalVars)
else:
matches = yara_on_demand(args['rule'], scanObject.buffer, externalVars=externalVars)
# Use the default rule set
else:
if 'meta_scan' in args:
metaBuffer = self._getnested(scanObject.moduleMetadata, args['meta_scan'])
# If we can't find the desired metadata, just return.
if not isinstance(metaBuffer, str):
return moduleResult
matches = yara_on_demand(config.yarascanrules, metaBuffer, externalVars=externalVars)
elif maxBytes and scanObject.objectSize > maxBytes:
matches = yara_on_demand(config.yarascanrules, buffer(scanObject.buffer, 0, maxBytes), externalVars=externalVars)
else:
matches = yara_on_demand(config.yarascanrules, scanObject.buffer, externalVars=externalVars)
# Process results
for m in matches:
if m.meta:
scanObject.addMetadata(self.module_name, str(m), m.meta)
scanObject.addFlag("yr:%s" % str(m))
#scanObject.addFlag("s_yr::%s" % str(m)) # Placeholder for standardized flag format
return moduleResult