def do_search(self):
q = self.cleaned_data['q']
query = {
"query": {
"query_string": {
"default_field": "sha256",
"query": q
}
},
"highlight": {
"fields": {
"*": {"pre_tags": ["<mark>"], "post_tags": ["</mark>"]}
}
},
"aggs": {
"permissions": {
"terms": {"field": "permissions.keyword"}
},
"domains": {
"terms": {"field": "domains_analysis._name.keyword"}
},
"android_features": {
"terms": {"field": "features.keyword"}
}
},
"sort": {"analysis_date": "desc"},
"_source": ["apk_hash", "sha256", "uploaded_at", "icon_base64", "handle", "app_name",
"version_code", "size", "dexofuzzy.apk", "quark.threat_level", "vt", "vt_report", "malware_bazaar",
"is_signed", "frosting_data.is_frosted", "features", "andro_cfg.genom"],
"size": 50,
}
es = Elasticsearch(settings.ELASTICSEARCH_HOSTS)
try:
raw_results = es.search(index=settings.ELASTICSEARCH_APK_INDEX, body=query)
results = transform_hl_results(raw_results)
results = append_dexofuzzy_similarity(results, 'sim', 30)
genetic_analysis = compute_genetic_analysis(results)
return results, get_aggregations(raw_results), genetic_analysis
except Exception as e:
return [], [], None
def get_sample_light(sha256):
query = {
"query": {
"match": {
"apk_hash": sha256
}
},
"_source": [
"apk_hash", "sha256", "uploaded_at", "icon_base64", "handle",
"app_name", "version_code", "size", "dexofuzzy.apk", "quark", "vt",
"malware_bazaar", "is_signed", "frosting_data.is_frosted",
"features"
],
"size":
1,
}
es = Elasticsearch(settings.ELASTICSEARCH_HOSTS)
try:
results = es.search(index=settings.ELASTICSEARCH_APK_INDEX, body=query)
results = transform_hl_results(results)
return results
except Exception:
return []
def do_search(self):
mapping = {
'cert_md5': 'certificates.fingerprint_md5',
'cert_sha1': 'certificates.fingerprint_sha1',
'cert_sha256': 'certificates.fingerprint_sha256',
'tracker': 'trackers.name',
'domains': 'domains_analysis._name',
'features': 'features',
'cert_issuer': 'certificates.issuer',
}
q = self.cleaned_data['q']
for k, v in mapping.items():
if k in q:
q = q.replace(k, v)
query = {
"query": {
"query_string": {
"default_field": "sha256",
"query": q
}
},
"highlight": {
"fields": {
"*": {
"pre_tags": ["<mark>"],
"post_tags": ["</mark>"]
}
}
},
"aggs": {
"permissions": {
"terms": {
"field": "permissions.keyword"
}
},
"domains": {
"terms": {
"field": "domains_analysis._name.keyword"
}
},
"android_api": {
"terms": {
"field":
"android_api_analysis.metadata.description.keyword"
}
},
"android_features": {
"terms": {
"field": "features.keyword"
}
}
},
"_source": [
"apk_hash", "sha256", "handle", "app_name", "dexofuzzy.apk",
"quark", "vt", "malware_bazaar"
],
"size":
50,
}
es = Elasticsearch([settings.ELASTICSEARCH_HOST])
try:
raw_results = es.search(index=settings.ELASTICSEARCH_APK_INDEX,
body=query)
results = transform_hl_results(raw_results)
results = append_dexofuzzy_similarity(results, 'sim', 30)
return results, get_aggregations(raw_results)
except Exception as e:
return [], []
def do_search(self):
mapping = {
'cert_md5': 'certificates.fingerprint_md5',
'cert_sha1': 'certificates.fingerprint_sha1',
'cert_sha256': 'certificates.fingerprint_sha256',
'tracker': 'trackers.name',
'domains': 'domains_analysis._name',
'features': 'features',
'cert_issuer': 'certificates.issuer',
}
q = self.cleaned_data['q']
for k, v in mapping.items():
if k in q:
q = q.replace(k, v)
query = {
"query": {
"query_string": {
"default_field": "sha256",
"query": q
}
},
"highlight": {
"fields": {
"*": {
"pre_tags": ["<mark>"],
"post_tags": ["</mark>"]
}
}
},
"aggs": {
"permissions": {
"terms": {
"field": "permissions.keyword"
}
},
"domains": {
"terms": {
"field": "domains_analysis._name.keyword"
}
},
"android_features": {
"terms": {
"field": "features.keyword"
}
}
},
"sort": {
"analysis_date": "desc"
},
"_source": [
"apk_hash", "sha256", "uploaded_at", "icon_base64", "handle",
"app_name", "version_code", "size", "dexofuzzy.apk", "quark",
"vt", "malware_bazaar", "is_signed",
"frosting_data.is_frosted", "features"
],
"size":
50,
}
es = Elasticsearch(settings.ELASTICSEARCH_HOSTS)
try:
raw_results = es.search(index=settings.ELASTICSEARCH_APK_INDEX,
body=query)
results = transform_hl_results(raw_results)
results = append_dexofuzzy_similarity(results, 'sim', 30)
# for r in results:
# print(r['id'])
# print(get_matching_items_by_dexofuzzy(r['source']['dexofuzzy']['apk'], 0.2, settings.ELASTICSEARCH_DEXOFUZZY_APK_INDEX, r['id']))
return results, get_aggregations(raw_results)
except Exception as e:
return [], []