Skip to content

Latest commit

 

History

History
59 lines (41 loc) · 2.62 KB

README.md

File metadata and controls

59 lines (41 loc) · 2.62 KB
Raw

Malware Name Mapping

This script fetches the current mapping file from the Malware Name Mapping repository and converts it to the syntax needed by the modify expert.

For more information about this project have a look at its webpage/repository.

The script expects a comma-separated file and uses the first column as regular expression and the second one as family name. Other URLs can be given as parameter. The resulting configuration sets the field classification.identifier to the malware family name corresponding to the given malware.name.

By default, the result is printed to stdout, a filename can be given as parameter.

For more information about the mapping project, have a look at the Malware Name Mapping repository.

See also the built-in help of the script by calling it with -h.

Additional optional rules

Default rule

A default rule can optionally be added the the end of the rules with the -d flag. With this rule, the field classification.identifier is set to malware.name if the first is empty and the latter is not. As this is the last rule, it is kind of "last resort" to fill the identifier field.

Local rules

Additional arbitrary mappings can be added with parameters to the download tool using the -e (expression) and -i (identifier) flags:

-e "^some-expression$" -i "some-identifier"

and multiple ones:

-e "^some-expression$" -i "some-identifier" -e "^other-expression$" -i "other-identifier"

Modify Bot

Use the Modify bot to apply the ruleset by using the generated file as configuration. Also, deactivate the case sensitivity of the bot by setting the parameter case_sensitive to false (default).

Automation

You can use a crontab-entry like this:

0  1  *      *   *   /path/to/contrib/malware_name_mapping/download_mapping.py /opt/intelmq/var/lib/bots/modify/malware-family-names.conf && intelmqctl reload malware-family-name-expert

You can check the validity of the resulting rule file with intelmqctl check.

Applying the mapping to existing data

Using the script apply_mapping_eventdb.py you can apply the mapping to an existing PostgreSQL eventdb. See the help page for options:

apply_mapping_eventdb.py -h

It queries the database for all distinct malware names with the taxonomy "malicious code" and sets another column to the malware family name. The column names can be set using parameters.