# See if we have a serialized VirusTotal Query Class.
# If we do not have one we'll create a new one
try:
vtq = pickle.load(open('vtq.pkl', 'rb'))
print('Opening VirusTotal Query Cache (cache_size={:d})...'.format(vtq.size))
except IOError:
vtq = vt_query.VTQuery(max_cache_time=60*24*7) # One week cache
# See our 'Risky Domains' Notebook for the analysis and
# statistical methods used to compute this risky set of TLDs
risky_tlds = set(['info', 'tk', 'xyz', 'online', 'club', 'ru', 'website', 'in', 'ws',
'top', 'site', 'work', 'biz', 'name', 'tech', 'loan', 'win', 'pro'])
# Launch long lived process with signal catcher
with signal_utils.signal_catcher(save_vtq):
# Run the bro reader on the dns.log file looking for risky TLDs
reader = bro_log_reader.BroLogReader(args.bro_log)
for row in reader.readrows():
# Pull out the TLD
query = row['query']
tld = tldextract.extract(query).suffix
# Check if the TLD is in the risky group
if tld in risky_tlds:
# Make the query with the full query
results = vtq.query_url(query)
if results.get('positives', 0) > 3: # At least four hits
print('\nRisky Domain DNS Query Found')
print(
'$ python yara_matches -r /path/to/rules/index.yar -e /path/to/bro/extract_files'
)
sys.exit(1)
# Sanity check that the args exist and are what we expect
if not os.path.isfile(args.rule_index):
print(
'--rule-index file not found.. should be /full/path/to/yara/rules/index.yar'
)
sys.exit(1)
if not os.path.isdir(args.extract_dir):
print(
'--extract-dir directory not found.. should be /full/path/to/bro/extract_files'
)
sys.exit(1)
# Load/compile the yara rules
my_rules = yara.compile(args.rule_index)
# Create DirWatcher and start watching the Bro extract_files directory
print('Watching Extract Files Directory: {:s}'.format(args.extract_dir))
dir_watcher.DirWatcher(args.extract_dir,
callback=yara_match,
rules=my_rules)
# Okay so just wait around for files to be dropped by Bro or someone hits Ctrl-C
with signal_utils.signal_catcher(my_exit):
while True:
time.sleep(.5)