def _close(self,):
'''Laika framework destructor'''
for sender in self._senders.itervalues():
if sender.pendings:
sender.emit('flush',
{'message':
'This event is to flush out the buffer of the python fluentd logger'})
if sender.pendings:
# XXX: Laika logging hack using stubs
log_module_error(self.module_name, ScanObjectStub(), ResultStub(),
'Failed to flush buffer. Log events lost.')
def _rollupToMe(result, myuID):
flag_rollup = []
for uid, sO in result.files.iteritems():
if uid == myuID:
for flag in sO.flags: flag_rollup.append(flag)
elif sO.parent == myuID: #if my direct child
if "DISPOSITIONER" in sO.moduleMetadata:
if "Input_Flags" in sO.moduleMetadata["DISPOSITIONER"]["Disposition"]:
flag_rollup.extend(sO.moduleMetadata["DISPOSITIONER"]["Disposition"]["Input_Flags"])
else:
log_module_error("DISPOSITIONER", sO, result, "Child object does not have DISPOSITIONER metadata")
flag_rollup = list(set(flag_rollup)) # Make Unique
return flag_rollup
def _close(self, ):
"""Laika framework destructor"""
for sender in self._senders.itervalues():
if sender.pendings:
sender.emit(
'flush', {
'message':
'This event is to flush out the buffer of the python fluentd logger'
})
if sender.pendings:
# XXX: Laika logging hack using stubs
log_module_error(
self.module_name, ScanObjectStub(), ResultStub(),
'Failed to flush buffer. Log events lost.')
def _run(self, scanObject, result, depth, args):
#Initialization
moduleResult = []
verbose = False
resultDict = {}
strMatches = ""
#Read arguments
if 'verbose' in args:
verbose = True
#Populate static metadata
resultDict['Disposition_File'] = config.yaradispositionrules
resultDict['Result'] = "Disposition Not Initialized"
#Get scanObject uID for flag_rollup and rollup flags
myUID = get_scanObjectUID(scanObject)
flag_rollup = self._rollupToMe(result, myUID)
resultDict['Input_Flags'] = flag_rollup
if verbose:
log_module("MSG",
self.module_name,
0,
scanObject,
result,
msg="dispositon_email: flag rollup: %s" % flag_rollup)
try:
matches = yara_on_demand(config.yaradispositionrules,
' '.join(flag_rollup))
lstStrMatches = [str(match) for match in matches]
resultDict['Matches'] = lstStrMatches
if matches:
strMatches = ' '.join(lstStrMatches)
except SyntaxError:
log_module_error(
self.module_name, scanObject, result,
"Error Compiling YARA rules file at: " +
config.yaradispositionrules)
resultDict['Result'] = "YARA RULE SYNTAX ERROR"
resultDict['Result'] = "Accept"
for match in resultDict['Matches']:
if match.startswith("Deny"):
resultDict['Result'] = "Deny"
scanObject.addMetadata(self.module_name, 'Disposition', resultDict)
return moduleResult
def _run(self, scanObject, result, depth, args):
"""Main module execution. Logs the scan result to fluentd."""
tag = get_option(args, "tag", "fluent_tag", "laikaboss.log_fluent")
host = get_option(args, "host", "fluent_host", "localhost")
port = int(get_option(args, "port", "fluent_port", 24224))
bufmax = int(get_option(args, "bufmax", "fluent_bufmax", 1048576)) # 1 MB
timeout = float(get_option(args, "timeout", "fluent_timeout", 3.0))
label = get_option(args, "label", "fluent_label", "scan_result")
sender = self._get_sender(tag, host, port, bufmax, timeout)
log_record = self._parse_log_record(result)
sender.emit(label, log_record)
if sender.pendings: # buffer in case of failed transmission
log_module_error(self.module_name, scanObject, result,
'Log event failed emition. Will retry on next emition.')
return []
def _run(self, scanObject, result, depth, args):
"""Main _module execution. Logs the scan result to fluentd."""
tag = get_option(args, "tag", "fluent_tag", "laikaboss.log_fluent")
host = get_option(args, "host", "fluent_host", "localhost")
port = int(get_option(args, "port", "fluent_port", 24224))
bufmax = int(get_option(args, "bufmax", "fluent_bufmax",
1048576)) # 1 MB
timeout = float(get_option(args, "timeout", "fluent_timeout", 3.0))
label = get_option(args, "label", "fluent_label", "scan_result")
sender = self._get_sender(tag, host, port, bufmax, timeout)
log_record = self._parse_log_record(result)
sender.emit(label, log_record)
if sender.pendings: # buffer in case of failed transmission
log_module_error(
self.module_name, scanObject, result,
'Log event failed emition. Will retry on next emition.')
return []
def _rollupToMe(result, myuID):
flag_rollup = []
for uid, sO in result.files.iteritems():
if uid == myuID:
for flag in sO.flags:
flag_rollup.append(flag)
elif sO.parent == myuID: #if my direct child
if "DISPOSITIONER" in sO.moduleMetadata:
if "Input_Flags" in sO.moduleMetadata["DISPOSITIONER"][
"Disposition"]:
flag_rollup.extend(sO.moduleMetadata["DISPOSITIONER"]
["Disposition"]["Input_Flags"])
else:
log_module_error(
"DISPOSITIONER", sO, result,
"Child object does not have DISPOSITIONER metadata")
flag_rollup = list(set(flag_rollup)) # Make Unique
return flag_rollup
def close(self, ):
""" Wrapper method around _close for error handling """
moduleLoggingBool = config.modulelogging
try:
self._close()
except QuitScanException:
logging.warning("quitting destructor early on _module %s", self.module_name)
raise
except Exception:
exc_type, exc_value, exc_traceback = sys.exc_info()
logging.exception("error closing _module %s. exception details below: " % self.module_name)
if moduleLoggingBool:
log_module_error(self.module_name,
None,
None,
repr(traceback.format_exception(exc_type,
exc_value,
exc_traceback)))
def close(self, ):
''' Wrapper method around _close for error handling '''
moduleLoggingBool = config.modulelogging
try:
self._close()
except QuitScanException:
logging.warn("quitting destructor early on module %s", self.module_name)
raise
except Exception:
exc_type, exc_value, exc_traceback = sys.exc_info()
logging.exception("error closing module %s. exception details below: " % self.module_name)
if moduleLoggingBool:
log_module_error(self.module_name,
None,
None,
repr(traceback.format_exception(exc_type,
exc_value,
exc_traceback)))
def _run(self, scanObject, result, depth, args):
#Initialization
moduleResult = []
verbose = False
resultDict = {}
strMatches = ""
#Read arguments
if 'verbose' in args:
verbose = True
#Populate static metadata
resultDict['Disposition_File'] = config.yaradispositionrules
resultDict['Result'] = "Disposition Not Initialized"
#Get scanObject uID for flag_rollup and rollup flags
myUID = get_scanObjectUID(scanObject)
flag_rollup = self._rollupToMe(result, myUID )
resultDict['Input_Flags'] = flag_rollup
if verbose: log_module("MSG", self.module_name, 0, scanObject, result, msg="dispositon_email: flag rollup: %s" % flag_rollup)
try:
matches = yara_on_demand(config.yaradispositionrules, ' '.join(flag_rollup))
lstStrMatches = [str(match) for match in matches]
resultDict['Matches'] = lstStrMatches
if matches:
strMatches = ' '.join(lstStrMatches)
except SyntaxError:
log_module_error(self.module_name, scanObject, result, "Error Compiling YARA rules file at: "+config.yaradispositionrules)
resultDict['Result'] = "YARA RULE SYNTAX ERROR"
resultDict['Result'] = "Accept"
for match in resultDict['Matches']:
if match.startswith("Deny"):
resultDict['Result'] = "Deny"
scanObject.addMetadata(self.module_name, 'Disposition', resultDict)
return moduleResult
def run(self, scanObject, result, depth, args):
"""Wrapper method around _run for error handling"""
moduleLoggingBool = config.modulelogging
try:
starttime = time.time()
if moduleLoggingBool:
log_module("START", self.module_name, 0, scanObject, result)
# Get a configured timeout
timeout_seconds = int(get_option(args, 'module_timeout', 'global_module_timeout', 3600))
with timeout(timeout_seconds, exception=GlobalModuleTimeoutError):
moduleResult = self._run(scanObject, result, depth, args)
if moduleLoggingBool:
log_module("END", self.module_name, time.time() - starttime, scanObject, result)
if type(moduleResult) is not list:
msg = "%s returned an object with type %s. Only lists are allowed! Skipping this result." % (self.module_name, type(moduleResult))
logging.debug(msg)
if moduleLoggingBool:
log_module_error(self.module_name,
scanObject,
result,
msg)
return []
return moduleResult
except GlobalScanTimeoutError:
raise
except GlobalModuleTimeoutError:
# If the _module times out, add a flag and continue as a normal error
scanObject.addFlag("dispatch:err:module_timeout:%s" % self.module_name)
exc_type, exc_value, exc_traceback = sys.exc_info()
logging.exception("error on %s running _module %s. exception details below: ",
get_scanObjectUID(getRootObject(result)), self.module_name)
if moduleLoggingBool:
log_module_error(self.module_name,
scanObject,
result,
repr(traceback.format_exception(exc_type,
exc_value,
exc_traceback)))
return []
except QuitScanException:
# If the _module is terminated early, add a flag and proceed the exception up the stack
scanObject.addFlag("dispatch:err:quit_scan")
logging.warning("quitting scan while running _module %s", self.module_name)
raise
except Exception:
exc_type, exc_value, exc_traceback = sys.exc_info()
logging.exception("error on %s running _module %s. exception details below: ",
get_scanObjectUID(getRootObject(result)), self.module_name)
if moduleLoggingBool:
log_module_error(self.module_name,
scanObject,
result,
repr(traceback.format_exception(exc_type,
exc_value,
exc_traceback)))
return []
def run(self, scanObject, result, depth, args):
'''Wrapper method around _run for error handling'''
moduleLoggingBool = config.modulelogging
try:
starttime = time.time()
if moduleLoggingBool:
log_module("START", self.module_name, 0, scanObject, result)
# Get a configured timeout
timeout_seconds = int(get_option(args, 'module_timeout', 'global_module_timeout', 3600))
with timeout(timeout_seconds, exception=GlobalModuleTimeoutError):
moduleResult = self._run(scanObject, result, depth, args)
if moduleLoggingBool:
log_module("END", self.module_name, time.time() - starttime, scanObject, result)
if type(moduleResult) is not list:
msg = "%s returned an object with type %s. Only lists are allowed! Skipping this result." % (self.module_name, type(moduleResult))
logging.debug(msg)
if moduleLoggingBool:
log_module_error(self.module_name,
scanObject,
result,
msg)
return []
return moduleResult
except GlobalScanTimeoutError:
raise
except GlobalModuleTimeoutError:
# If the module times out, add a flag and continue as a normal error
scanObject.addFlag("dispatch:err:module_timeout:%s" % self.module_name)
exc_type, exc_value, exc_traceback = sys.exc_info()
logging.exception("error on %s running module %s. exception details below: ",
get_scanObjectUID(getRootObject(result)), self.module_name)
if moduleLoggingBool:
log_module_error(self.module_name,
scanObject,
result,
repr(traceback.format_exception(exc_type,
exc_value,
exc_traceback)))
return []
except QuitScanException:
# If the module is terminated early, add a flag and proceed the exception up the stack
scanObject.addFlag("dispatch:err:quit_scan")
logging.warn("quitting scan while running module %s", self.module_name)
raise
except Exception:
exc_type, exc_value, exc_traceback = sys.exc_info()
logging.exception("error on %s running module %s. exception details below: ",
get_scanObjectUID(getRootObject(result)), self.module_name)
if moduleLoggingBool:
log_module_error(self.module_name,
scanObject,
result,
repr(traceback.format_exception(exc_type,
exc_value,
exc_traceback)))
return []