def analyseSubmission(self, submission): sid = submission.id Session().expunge(submission) if type(submission) != Model.Submission: raise Exception("Invalid submission object") nb_of_modules_for_this_submission = 0 for m in self.modules: if m.analyse(submission) is True: nb_of_modules_for_this_submission += 1 submission = Session().query(Submission).filter(Submission.id == sid).one() submission.working_modules = nb_of_modules_for_this_submission Session.commit()
def _do_work(self, submission): s = Session() r = Report( module=self.__ModuleName__, short="Short desc...", full="", submission=submission ) s.add(r) #Do the actual work sql = """select sha1, md5, FileName, FileSize, ProductName, ProductVersion, Language, ApplicationType, o.OpSystemCode, OpSystemName, OpSystemVersion, o.MfgCode, MfgName from file f inner join Prod p on p.ProductCode=f.ProductCode inner join OS o on f.OpSystemCode=o.OpSystemCode inner join Mfg m on m.MfgCode=o.MfgCode where sha1=?;""" results = self.db.execute(sql, (submission.file.sha1.upper(),)).fetchall() if len(results) == 0: # Unknown in Db r.short = "Unknown File - sha1 : %s" % (submission.file.sha1) else: # Known in Hash Db r.short = "File known to be safe (%s match)" % (len(results)) r.threat_level = 0 for result in results: report_details = { 'FileName': result[2], 'FileSize': result[3], 'Product': { 'ProductName': result[4], 'ProductVersion': result[5], 'Language': result[6], 'ApplicationType': result[7], 'OS': { 'OpSystemCode': result[8], 'OpSystemName': result[9], 'OpSystemVersion': result[10], 'MfgCode': result[11], 'MfgName': result[12], }, }, } json = JSONEncoder().encode(report_details) section = ReportSection( type='json', value=json, report=r ) s.add(section) s.commit() #r._sa_instance_state.session.expunge(r) return r
def _do_work(self, submission): #Do the actual work report = self.vt.get(submission.file.sha256) s = Session() r = Report( module=self.__ModuleName__, short="Short desc...", full="", submission=submission ) s.add(r) new_vt_submission = False if report is None: # Unknown in VT r.short = "Unknown on VT" if self.module_config['submit_unknown']: report = self.vt.scan(submission.file.path, reanalyze=True) report.join() new_vt_submission = True try: assert report.done is True # Known in VT r.short = "Detection rate : %s/%s - %s" % (report.positives, report.total, report.verbose_msg) if new_vt_submission: r.short += " (First submission in VT)" if report.positives == 0: r.threat_level = 0 elif report.positives > 5: r.threat_level = 100 report_details = report._report json = JSONEncoder().encode(report_details) section = ReportSection( type='json', value=json, report=r ) s.add(section) except Exception as e: logging.error("Could not get report from vt : %s"%e) s.commit() #r._sa_instance_state.session.expunge(r) return r
def _do_work(self, submission): # Do the actual work e = EntropyTool(submission.file.path) (entropy, mean, stdv, max_dev) = e.analyze() out = os.path.join(self.module_config["output_dir"], "%s.png" % submission.file.sha256) e.writeimg(out) mapout = os.path.join(self.module_config["output_dir"], "%s_map.png" % submission.file.sha256) MapFile().writeimg(submission.file.path, mapout) r1 = {"path": out.replace("\\", "/"), "comment": "Entropy of the file"} r2 = {"path": mapout.replace("\\", "/"), "comment": "Mapping of the file"} json1 = JSONEncoder().encode(r1) json2 = JSONEncoder().encode(r2) r = Report(module=self.__ModuleName__, short="%s" % e.FileTypeText(), full="", submission=submission) Session.add(r) section1 = ReportSection(type="img", value=json1, report=r) Session.add(section1) section2 = ReportSection(type="img", value=json2, report=r) Session.add(section2) Session.commit() return r
def _do_work(self, submission): # Do the actual work metadata = self.exif_tool.get_metadata(submission.file.path) metadata_hierarchy = {} for key, value in metadata.iteritems(): parent = metadata_hierarchy subkeys = key.split(":") for i in range(len(subkeys) - 1): current = subkeys[i] if current not in parent: parent[current] = {} parent = parent[current] current = subkeys[-1] parent[current] = value json = JSONEncoder().encode(metadata_hierarchy) s = Session() r = Report(module=self.__ModuleName__, short="", full="", submission=submission) s.add(r) section = ReportSection(type="json", value=json, report=r) s.add(section) s.commit() # r._sa_instance_state.session.expunge(r) return r
def _do_work(self, submission): a = AnalyzePDF(submission.file.path, toolpath=self.module_config['tool_path']) sev, comment = a.analyze() # (sev (0-5+), "comment") r = Report( module=self.__ModuleName__, short="%s (%s)" % (sev, comment), full="", submission=submission ) if sev >= 5: r.threat_level = 100 elif sev >=2: r.threat_level = 50 else: r.threat_level = 0 Session.add(r) section = ReportSection( type='text', value=a.anomalies_string, report=r ) Session.add(section) section = ReportSection( type='text', value=a.pdfid_str, report=r ) Session.add(section) Session.commit() #r._sa_instance_state.session.expunge(r) return r