Пример #1
0
    def output_db(self, config, matches):
        """ Output any matches to the database. """
        log = logging.getLogger('Mastiff.Plugins.' + self.name + '.output_db')

        db = DB.open_db_conf(config)
        if db is None:
            return False

        # add the table 'yara' if it doesn't exist
        if DB.check_table(db, 'yara') == False:
            fields = ['id INTEGER PRIMARY KEY',
                      'sid INTEGER DEFAULT NULL',
                      'rule_name TEXT DEFAULT NULL',
                      'meta TEXT DEFAULT NULL',
                      'tag TEXT DEFAULT NULL',
                      'rule_file TEXT DEFAULT NULL',
                      'file_offset INTEGER DEFAULT NULL',
                      'string_id TEXT DEFAULT NULL',
                      'data TEXT DEFAULT NULL' ]
            if not DB.add_table(db, 'yara', fields ):
                log.error('Unable to add "yara" database table.')
                return False

        sqlid = DB.get_id(db, config.get_var('Misc', 'hashes'))
        sel_query = 'SELECT count(*) FROM yara '
        sel_query += 'WHERE sid=? AND rule_name=? AND meta=? AND tag=? AND '
        sel_query += 'rule_file=? AND file_offset=? AND string_id=? AND data=? '
        query = 'INSERT INTO yara '
        query += '(sid, rule_name, meta, tag, rule_file, file_offset, string_id, data) '
        query += 'VALUES (?, ?, ?, ?, ?, ?, ?, ?)'

        cur = db.cursor()

        # go through all matches and insert into DB if needed
        try:
            for item in matches:
                for y_match in item.strings:
                    match_insert = ( sqlid, item.rule, str(item.meta), \
                                    str(item.tags), item.namespace, \
                                    y_match[0], y_match[1], plugins.bin2hex(y_match[2]), )
                    # check to see if its already in there
                    cur.execute(sel_query, match_insert)
                    if cur.fetchone()[0] == 0:
                        # not in the db already, add it in
                        log.debug('Adding %s match to database.' % (item.rule))
                        cur.execute(query, match_insert)
            db.commit()
        except sqlite3.Error, err:
            log.error('SQL error when adding item to DB: %s' % err)
            return False
Пример #2
0
    def output_db(self, config, data):
        """Print output from analysis to a file."""
        log = logging.getLogger('Mastiff.Plugins.' + self.name)

        db = DB.open_db_conf(config)
        if db is None:
            return False

        db.text_factory = str

        # If the 'files' table does now exist, add it
        if DB.check_table(db, 'files') == False:
            log.debug('Adding table files')
            fields = [
                'id INTEGER PRIMARY KEY', 'sid INTEGER', 'filename TEXT',
                'size INTEGER', 'firstseen INTEGER', 'lastseen INTEGER',
                'times INTEGER'
            ]
            if DB.add_table(db, 'files', fields) is None:
                return False
            db.commit()

        cur = db.cursor()
        sqlid = DB.get_id(db, data['hashes'])

        if sqlid is None:
            log.error('%s hashes do not exist in the database',
                      data['filename'])
            return False

        # see if the filename already exists in the db
        try:
            cur.execute(
                'SELECT id, times FROM files WHERE filename=? AND sid=?', (
                    data['filename'],
                    sqlid,
                ))
        except sqlite3.Error, err:
            log.error('Could not query filename table: %s', err)
            return None
Пример #3
0
    def output_db(self, config, data):
        """Print output from analysis to a file."""
        log = logging.getLogger('Mastiff.Plugins.' + self.name)

        db = DB.open_db_conf(config)
        if db is None:
            return False
            
        db.text_factory = str

        # If the 'files' table does now exist, add it
        if DB.check_table(db,  'files')  == False:
            log.debug('Adding table files')
            fields = [ 'id INTEGER PRIMARY KEY',
                                   'sid INTEGER',
                                  'filename TEXT',
                                  'size INTEGER',
                                  'firstseen INTEGER',
                                  'lastseen INTEGER',
                                  'times INTEGER']
            if DB.add_table(db, 'files',  fields) is None:
                return False
            db.commit()

        cur = db.cursor()
        sqlid = DB.get_id(db,  data['hashes'])

        if sqlid is None:
            log.error('%s hashes do not exist in the database',  data['filename'])
            return False

        # see if the filename already exists in the db
        try:
            cur.execute('SELECT id, times FROM files WHERE filename=? AND sid=?',
                         (data['filename'], sqlid, ))
        except sqlite3.Error, err:
            log.error('Could not query filename table: %s',  err)
            return None
Пример #4
0
    def output_db(self, config, my_fuzzy):
        """ Add fuzzy hash to the DB."""
        log = logging.getLogger('Mastiff.Plugins.' + self.name + '.DB_output')

        # open up the DB and extend the mastiff table to include fuzzy hashes
        db = DB.open_db_conf(config)

        # there is a possibility the mastiff table is not available yet
        # check for that and add it
        if DB.check_table(db,  'files')  == False:
            log.debug('Adding table "files"')
            fields = [ 'id INTEGER PRIMARY KEY',
                                   'sid INTEGER',
                                  'filename TEXT',
                                  'size INTEGER',
                                  'firstseen INTEGER',
                                  'lastseen INTEGER',
                                  'times INTEGER']
            if DB.add_table(db, 'files',  fields) is None:
                return False
            db.commit()

        if not DB.add_column(db, 'mastiff', 'fuzzy TEXT DEFAULT NULL'):
            log.error('Unable to add column.')
            return False

        conn = db.cursor()
        # update our hash
        sqlid = DB.get_id(db, config.get_var('Misc', 'Hashes'))
        query = 'UPDATE mastiff SET fuzzy=? WHERE id=?'
        try:
            conn.execute(query, (my_fuzzy, sqlid, ))
            db.commit()
        except sqlite3.OperationalError, err:
            log.error('Unable to add fuzzy hash: %s', err)
            return False