def _debug_print(self, data):
""" Debug printing of Yara matches."""
log = logging.getLogger('Mastiff.Plugins.' + self.name + '.match')
if data['matches'] == True:
for match in data['strings']:
log.debug('Match: %s: %s' % (data['rule'], plugins.bin2hex(match[2])))
return yara.CALLBACK_CONTINUE
def output_db(self, config, matches):
""" Output any matches to the database. """
log = logging.getLogger('Mastiff.Plugins.' + self.name + '.output_db')
db = DB.open_db_conf(config)
if db is None:
return False
# add the table 'yara' if it doesn't exist
if DB.check_table(db, 'yara') == False:
fields = ['id INTEGER PRIMARY KEY',
'sid INTEGER DEFAULT NULL',
'rule_name TEXT DEFAULT NULL',
'meta TEXT DEFAULT NULL',
'tag TEXT DEFAULT NULL',
'rule_file TEXT DEFAULT NULL',
'file_offset INTEGER DEFAULT NULL',
'string_id TEXT DEFAULT NULL',
'data TEXT DEFAULT NULL' ]
if not DB.add_table(db, 'yara', fields ):
log.error('Unable to add "yara" database table.')
return False
sqlid = DB.get_id(db, config.get_var('Misc', 'hashes'))
sel_query = 'SELECT count(*) FROM yara '
sel_query += 'WHERE sid=? AND rule_name=? AND meta=? AND tag=? AND '
sel_query += 'rule_file=? AND file_offset=? AND string_id=? AND data=? '
query = 'INSERT INTO yara '
query += '(sid, rule_name, meta, tag, rule_file, file_offset, string_id, data) '
query += 'VALUES (?, ?, ?, ?, ?, ?, ?, ?)'
cur = db.cursor()
# go through all matches and insert into DB if needed
try:
for item in matches:
for y_match in item.strings:
match_insert = ( sqlid, item.rule, str(item.meta), \
str(item.tags), item.namespace, \
y_match[0], y_match[1], plugins.bin2hex(y_match[2]), )
# check to see if its already in there
cur.execute(sel_query, match_insert)
if cur.fetchone()[0] == 0:
# not in the db already, add it in
log.debug('Adding %s match to database.' % (item.rule))
cur.execute(query, match_insert)
db.commit()
except sqlite3.Error, err:
log.error('SQL error when adding item to DB: %s' % err)
return False
def output_file(self, outdir, matches):
"""Prints any Yara matches to a file named yara.txt."""
out_file = open(outdir + os.sep + 'yara.txt', 'w')
if len(matches) == 0:
out_file.write('No Yara matches.')
else:
out_file.write('Yara Matches for %s\n' % self.filename)
for item in matches:
out_file.write('\nRule Name: %s\n' % item.rule)
out_file.write('Yara Meta: %s\n' % item.meta)
out_file.write('Yara Tags: %s\n' % item.tags)
out_file.write('Rule File: %s\n' % item.namespace)
out_file.write('Match Info:\n')
for y_match in item.strings:
out_file.write('\tFile Offset: %d\n' % y_match[0])
out_file.write('\tString ID: %s\n' % y_match[1])
out_file.write('\tData: %s\n\n' % plugins.bin2hex(y_match[2]))
out_file.write('*'*79 + '\n')
out_file.close()
return True
