Merge pull request #16 from InQuest/issue/15-yara-cidr-to-regex

Add YARA CIDR to Regex functionality
InQuest · Jul 24, 2023 · 8c3d4f6 · 8c3d4f6
2 parents 4245c08 + 42de1e6
commit 8c3d4f6
Show file tree

Hide file tree

Showing 3 changed files with 30 additions and 4 deletions.
diff --git a/README.md b/README.md
@@ -53,6 +53,7 @@ Usage:
     inquestlabs [options] yara hexcase <instring>
     inquestlabs [options] yara uint <instring> [--offset=<offset>] [--hex]
     inquestlabs [options] yara widere <regex> [(--big-endian|--little-endian)]
+    inquestlabs [options] yara cidr <ipv4>
     inquestlabs [options] lookup ip <ioc>
     inquestlabs [options] lookup domain <ioc>
     inquestlabs [options] report <ioc>

diff --git a/inquestlabs.py b/inquestlabs.py
@@ -23,6 +23,7 @@
     inquestlabs [options] yara hexcase <instring>
     inquestlabs [options] yara uint <instring> [--offset=<offset>] [--hex]
     inquestlabs [options] yara widere <regex> [(--big-endian|--little-endian)]
+    inquestlabs [options] yara cidr <ipv4>
     inquestlabs [options] lookup ip <ioc>
     inquestlabs [options] lookup domain <ioc>
     inquestlabs [options] report <ioc>
@@ -83,7 +84,7 @@
 
 # extract version from installed package metadata
 __application_name__ = "inquestlabs"
-__version__ = "1.2.3"
+__version__ = "1.2.4"
 # __version__ = version(__application_name__)
 __full_version__ = f"{__application_name__} {__version__}"
 
@@ -144,7 +145,7 @@ def __init__ (self, api_key=None, config=None, proxies=None, base_url=None, retr
         self.api_key     = api_key
         self.base_url    = base_url
         self.config_file = config
-        self.retries = retries
+        self.retries     = retries
         self.proxies     = proxies
         self.verify_ssl  = verify_ssl
         self.verbosity   = verbose
@@ -214,7 +215,7 @@ def __init__ (self, api_key=None, config=None, proxies=None, base_url=None, retr
             self.__VERBOSE("api_key_source=%s" % self.api_key_source, INFO)
 
     ####################################################################################################################
-    def API (self, api, data=None, path=None, method="GET", raw=False):
+    def API (self, api, data=None, path=None, method="GET", raw=False, params=None):
         """
         Internal API wrapper.
 
@@ -228,6 +229,8 @@ def API (self, api, data=None, path=None, method="GET", raw=False):
         :param method: API method, one of "GET" or "POST".
         :type  raw:    bool
         :param raw:    Default behavior is to expect JSON encoded content, raise this flag to expect raw data.
+        :type  method: str
+        :param method: Set a parameter for the request.
 
         :rtype:  dict | str
         :return: Response dictionary or string if 'raw' flag is raised.
@@ -258,6 +261,7 @@ def API (self, api, data=None, path=None, method="GET", raw=False):
             "headers" : headers,
             "proxies" : self.proxies,
             "verify"  : self.verify_ssl,
+            "params"  : params
         }
 
         # make attempts to dance with the API endpoint, use a jittered exponential back-off delay.
@@ -1243,6 +1247,23 @@ def yara_uint (self, magic, offset=0, is_hex=False):
 
         return self.API("/yara/trigger", dict(trigger=magic, offset=offset, is_hex=is_hex))
 
+    ####################################################################################################################
+    def cidr_to_regex (self, data):
+        """
+        Produce a regular expression from a IPv4 CIDR notation in a form suitable for usage as a YARA string.
+
+        :type  regex:  str
+        :param regex:  Regular expression to convert.
+
+        :rtype:  str
+        :return: Regex string suitable for YARA.
+        """
+
+        # dance with the API and return results.
+        return self.API("/yara/cidr2regex", params={
+            "cidr": data
+        })
+
 ########################################################################################################################
 ########################################################################################################################
 ########################################################################################################################
@@ -1414,6 +1435,10 @@ def main ():
         elif args['widere']:
             print(labs.yara_widere(args['<regex>'], endian))
 
+        # inquestlabs [options] yara cidr <ipv4>
+        elif args['cidr']:
+            print(labs.cidr_to_regex(args['<ipv4>']))
+
         # huh?
         else:
             raise inquestlabs_exception("yara argument parsing fail.")

diff --git a/pyproject.toml b/pyproject.toml
@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "inquestlabs"
-version = "1.2.3"
+version = "1.2.4"
 license = {file = "LICENSE"}
 authors = [
 	{ name="InQuest", email="labs@inquest.net" },