Пример #1
0
 def generate_logic_hash(rule):
     """Generate logic hash: DEPRECATED."""
     from plyara.utils import generate_logic_hash
     import warnings
     warnings.warn(
         'Static method generate_logic_hash() is deprecated: use plyara.utils',
         DeprecationWarning)
     return generate_logic_hash(rule)
Пример #2
0
    def test_logic_hash_generator_output(self):
        with data_dir.joinpath('rulehashes.txt').open('r') as fh:
            rule_hashes = fh.read().splitlines()

        with data_dir.joinpath('test_rules_from_yara_project.yar').open(
                'r') as fh:
            inputString = fh.read()

        results = Plyara().parse_string(inputString)

        for index, result in enumerate(results):
            rulehash = generate_logic_hash(result)
            self.assertEqual(rulehash, rule_hashes[index])
Пример #3
0
    def test_generate_logic_hash_output(self):
        with data_dir.joinpath('rulehashes_v2.0.0.txt').open('r') as fh:
            rule_hashes = fh.read().splitlines()

        with data_dir.joinpath('test_rules_from_yara_project.yar').open(
                'r') as fh:
            # Rules containing "(1..#)" or similar iterators cause Unhandled String Count Condition errors
            inputString = fh.read()

        results = Plyara().parse_string(inputString)

        for index, result in enumerate(results):
            rulehash = generate_logic_hash(result)
            self.assertEqual(rulehash, rule_hashes[index])
Пример #4
0
def generate_kwargs_from_parsed_rule(parsed_rule):
    # Generate parsed rule kwargs for saving a rule
    name = parsed_rule['rule_name']
    tags = parsed_rule.get('tags', [])
    scopes = parsed_rule.get('scopes', [])

    # TODO : Update when Plyara moves to clean Python types
    metadata = parsed_rule.get('metadata', {})
    for key, value in metadata.items():
        if value not in ('true', 'false'):
            try:
                value = int(value)
            except ValueError:
                metadata[key] = '"' + value + '"'

    strings = parsed_rule.get('strings', [])
    condition = parsed_rule['condition_terms']

    # TODO : Update when Plyara moves to stripping quotes from detect_imports module
    imports = [imp.strip('"') for imp in utils.detect_imports(parsed_rule)]
    comments = parsed_rule.get('comments', [])
    dependencies = utils.detect_dependencies(parsed_rule)

    # Calculate hash value of rule strings and condition
    logic_hash = utils.generate_logic_hash(parsed_rule)

    # TEMP FIX - Use only a single instance of a metakey
    # until YaraGuardian models and functions can be updated
    for key, value in metadata.items():
        if isinstance(value, list):
            metadata[key] = value[0]

    return {
        'name': name,
        'tags': list(set(tags)),
        'scopes': list(set(scopes)),
        'imports': list(set(imports)),
        'comments': list(set(comments)),
        'metadata': metadata,
        'strings': strings,
        'condition': condition,
        'dependencies': dependencies,
        'logic_hash': logic_hash
    }
Пример #5
0
    def test_generate_logic_hash(self):
        with data_dir.joinpath('logic_collision_ruleset_v2.0.0.yar').open(
                'r') as fh:
            inputString = fh.read()

        result = Plyara().parse_string(inputString)

        rule_mapping = {}

        for entry in result:
            rulename = entry['rule_name']
            setname, _ = rulename.split('_')
            rulehash = generate_logic_hash(entry)

            if setname not in rule_mapping:
                rule_mapping[setname] = [rulehash]
            else:
                rule_mapping[setname].append(rulehash)

        for setname, hashvalues in rule_mapping.items():
            self.assertTrue(
                len(set(hashvalues)) == 1,
                'Collision detection failure for {}'.format(setname))