示例#1
0
    def get_config(self):
        # allow to raise debug level of expressions module explicitly. Beware:
        # This affects not just individual objects but the whole module which
        # is why we do it by poking the logger and not via a setter method.
        log_level = self.get_config_value('log_level',
                                          logging.WARNING,
                                          option_type=self.config.LOG_LEVEL)
        expression_logger = logging.getLogger('peekaboo.ruleset.expressions')
        expression_logger.setLevel(log_level)

        raw_expressions = self.get_config_value('expression', [])
        if not raw_expressions:
            raise PeekabooRulesetConfigError(
                "List of expressions empty, check %s rule config." %
                self.rule_name)

        self.expressions = []
        parser = ExpressionParser()

        # context of dummy objects to test expressions against
        context = {
            'variables': {
                'sample': Sample("dummy"),
                'cuckooreport': CuckooReport(),
                'olereport': OletoolsReport(),
                'filereport': FiletoolsReport(),
                'knownreport': KnowntoolsReport(),
            }
        }

        for raw_expression in raw_expressions:
            try:
                parsed_expression = parser.parse(raw_expression)
                logger.debug("Expression from config file: %s", raw_expression)
                logger.debug("Expression parsed: %s", parsed_expression)
            except SyntaxError as error:
                raise PeekabooRulesetConfigError(error)

            if not parsed_expression.is_implication():
                raise PeekabooRulesetConfigError(
                    "Malformed expression, missing implication: %s" %
                    raw_expression)

            # run expression against dummy objects to find out if it's
            # attempting anything illegal
            try:
                parsed_expression.eval(context=context)
            except IdentifierMissingException as missing:
                # our dummy context provides everything we would provide at
                # runtime as well, so any missing identifier is an error at
                # this point
                identifier = missing.name
                raise PeekabooRulesetConfigError(
                    "Invalid expression, unknown identifier %s: %s" %
                    (identifier, raw_expression))
            except AttributeError as missing:
                raise PeekabooRulesetConfigError("Invalid expression, %s: %s" %
                                                 (missing, raw_expression))

            self.expressions.append(parsed_expression)
示例#2
0
    def get_oletools_report(self, sample):
        """ Get the samples oletools_report or generate it.

            @returns: OleReport
        """
        report = sample.oletools_report
        if report is not None:
            return report

        oletool = Oletools()
        report = OletoolsReport(oletool.get_report(sample))
        return report
示例#3
0
    def evaluate(self, sample):
        """ Report the sample as bad if it contains a macro. """
        if sample.oletools_report is None:
            try:
                ole = Oletools()
                report = ole.get_report(sample)
                sample.register_oletools_report(OletoolsReport(report))
            except OleNotAnOfficeDocumentException:
                return self.result(Result.unknown,
                                   _("File is not an office document"), True)
            except Exception:
                raise

        return self.evaluate_report(sample.oletools_report)