async def scan(self, guid, artifact_type, content, metadata, chain): """Scan an artifact with Yara. Args: guid (str): GUID of the bounty under analysis, use to track artifacts in the same bounty artifact_type (ArtifactType): Artifact type for the bounty being scanned content (bytes): Content of the artifact to be scan metadata (dict) Dict of metadata for the artifact chain (str): Chain we are operating on Returns: ScanResult: Result of this scan """ matches = self.rules.match(data=content) sysname, _, _, _, machine = os.uname() metadata = Verdict().set_scanner(operating_system=sysname, architecture=machine, vendor_version=yara.__version__) if matches: # author responsible for distilling multiple metadata values into a value for ScanResult metadata.set_malware_family(matches[0].rule) return ScanResult(bit=True, verdict=True, metadata=metadata.json()) metadata.set_malware_family('') return ScanResult(bit=True, verdict=False, metadata=metadata.json())
def test_empty_verdict(): # arrange verdict = Verdict() # act # assert with pytest.raises(ValueError): verdict.json()
async def scan(self, guid, artifact_type, content, metadata, chain): """Scan an artifact with ClamAV Args: guid (str): GUID of the bounty under analysis, use to track artifacts in the same bounty artifact_type (ArtifactType): Artifact type for the bounty being scanned content (bytes): Content of the artifact to be scan metadata (dict) Dict of metadata for the artifact chain (str): Chain we are operating on Returns: ScanResult: Result of this scan """ result = await self.clamd.instream(BytesIO(content)) stream_result = result.get('stream', []) vendor = await self.clamd.version() metadata = Verdict().set_scanner(operating_system=platform.system(), architecture=platform.machine(), vendor_version=vendor.strip('\n')) if len(stream_result) >= 2 and stream_result[0] == 'FOUND': metadata.set_malware_family(stream_result[1].strip('\n')) return ScanResult(bit=True, verdict=True, confidence=1.0, metadata=metadata.json()) metadata.set_malware_family('') return ScanResult(bit=True, verdict=False, metadata=metadata.json())
def test_validate_ip_invalid(): # arrange verdict = Verdict() # assert with pytest.raises(ValueError): # act verdict.add_ip_address('asdf') verdict.json()
def test_validate_extra_object(): # arrange verdict = Verdict().set_malware_family("Eicar") # act verdict.add_extra("new_key", {"other_key": "string_value"}) # assert assert Verdict.validate(json.loads(verdict.json()))
def test_validate_ip(): # arrange verdict = Verdict().set_malware_family("Eicar") # act verdict.add_ip_address('192.168.0.1') # assert assert Verdict.validate(json.loads(verdict.json()))
def test_validate_domains(): # arrange verdict = Verdict().set_malware_family("Eicar") # act verdict.add_domain('polyswarm.io') # assert assert Verdict.validate(json.loads(verdict.json()))
def test_validate_two_domains_at_once(): # arrange verdict = Verdict().set_malware_family("Eicar") # act verdict.add_domains(['polyswarm.io', 'polyswarm.network']) # assert assert Verdict.validate(json.loads(verdict.json()))
def test_validate_two_ip_at_once(): # arrange verdict = Verdict().set_malware_family("Eicar") # act verdict.add_ip_addresses(['192.168.0.1', '8.8.8.8']) # assert assert Verdict.validate(json.loads(verdict.json()))
def test_validate_with_family(): # arrange verdict = Verdict() verdict.set_malware_family("Eicar") # assert blob = verdict.json() # act assert Verdict.validate(json.loads(blob))
def test_validate_two_extra_at_once(): # arrange verdict = Verdict().set_malware_family("Eicar") # act verdict.add_extras([("new_key", "string_value"), ("new_key1", { "other_key": "string_value" })]) # assert assert Verdict.validate(json.loads(verdict.json()))
def test_scanner_null_environemnt(): # arrange verdict = Verdict().set_malware_family("Eicar") # act verdict.set_scanner(version="1.0.0", polyswarmclient_version="2.0.2", signatures_version="2019", vendor_version="1.0.0") # assert Verdict.validate(json.loads(verdict.json()))
def test_scanner_no_vendor_version(): # arrange verdict = Verdict().set_malware_family("Eicar") # act verdict.set_scanner(operating_system="windows", architecture="x86", version="1.0.0", polyswarmclient_version="2.0.2", signatures_version="2019") # assert Verdict.validate(json.loads(verdict.json()))
def test_validate_stix_object(): # arrange verdict = Verdict().set_malware_family("Eicar") # act verdict.add_stix_signature( 'oasis-open/cti-stix2-json-schemas/master/schemas/common/kill-chain-phase.json', { "kill_chain_name": 'asdf', "phase_name": "full" }) # assert assert Verdict.validate(json.loads(verdict.json()))
def scan_sync(self, guid, artifact_type, content, metadata, chain): """Scan an artifact Args: guid (str): GUID of the bounty under analysis, use to track artifacts in the same bounty artifact_type (ArtifactType): Artifact type for the bounty being scanned content (bytes): Content of the artifact to be scan metadata (dict) Dict of metadata for the artifact chain (str): Chain we are operating on Returns: ScanResult: Result of this scan """ metadata = Verdict().set_scanner(operating_system=self.system, architecture=self.machine) if isinstance(content, str): content = content.encode() if EICAR in content: metadata.set_malware_family('Eicar Test File') return ScanResult(bit=True, verdict=True, metadata=metadata.json()) metadata.set_malware_family('') return ScanResult(bit=True, verdict=False, metadata=metadata.json())
def test_scanner_invalid_psc_version(): # arrange verdict = Verdict().set_malware_family("Eicar") # assert with pytest.raises(ValueError): # act verdict.set_scanner(operating_system="windows", architecture="x86", version="1.0.0", polyswarmclient_version="asdf", signatures_version="2019", vendor_version="1.0.0") Verdict.validate(json.loads(verdict.json()))
def test_validate_all_output(): # arrange verdict = Verdict().set_malware_family("Eicar")\ .add_domain('polyswarm.io')\ .add_ip_address('192.168.0.1')\ .add_stix_signature( 'oasis-open/cti-stix2-json-schemas/master/schemas/common/hex.json', "a0" ) \ .set_scanner(operating_system="windows", architecture="x86", version="1.0.0", polyswarmclient_version="2.0.2", signatures_version="2019", vendor_version="1.0.0")\ .add_extra("new_key", {"other_key": "string_value"})\ .add_extra("new_key1", ["string_value"])\ .add_extra("new_key2", "string_value") result = { "malware_family": "Eicar", "domains": ["polyswarm.io"], "ip_addresses": ["192.168.0.1"], "stix": [{ "schema": "oasis-open/cti-stix2-json-schemas/master/schemas/common/hex.json", "signature": "a0" }], "scanner": { "version": "1.0.0", "polyswarmclient_version": "2.0.2", "signatures_version": "2019", "vendor_version": "1.0.0", "environment": { "operating_system": "windows", "architecture": "x86" } }, "new_key": { "other_key": "string_value", }, "new_key1": ["string_value"], "new_key2": "string_value" } # act blob = json.loads(verdict.json()) # assert assert Verdict.validate(blob) assert blob == result
def scan_metadata(request): if request.param is None: return None as_json, family = request.param v = Verdict().set_malware_family(family) return v.json() if as_json else v
def test_validate_no_familty(): # arrange verdict = Verdict() # assert with pytest.raises(ValueError): verdict.json()