ENH: modify handle sality-p2p

fixes #742 Signed-off-by: Sebastian Wagner <sebix@sebix.at>
certtools · Oct 17, 2016 · 7d1408b · 7d1408b
1 parent 064f71f
commit 7d1408b
Show file tree

Hide file tree

Showing 3 changed files with 4 additions and 2 deletions.
diff --git a/intelmq/bots/experts/modify/examples/default.conf b/intelmq/bots/experts/modify/examples/default.conf
@@ -36,7 +36,7 @@
             "classification.identifier": "citadel"
         }],
     "sality": [{
-            "malware.name": "^[Ss]ality(_p2p)?$"
+            "malware.name": "^[Ss]ality([_-]p2p)?$"
         }, {
             "classification.identifier": "sality"
         }]

diff --git a/intelmq/bots/experts/modify/examples/morefeeds.conf b/intelmq/bots/experts/modify/examples/morefeeds.conf
@@ -41,7 +41,7 @@
             "classification.identifier": "Citadel"
         }],
     "sality": [{
-            "malware.name": "^[Ss]ality(_p2p)?(v)?[0-9]?$"
+            "malware.name": "^[Ss]ality([_-]p2p)?(v)?[0-9]?$"
         }, {
             "classification.identifier": "Sality"
         }],

diff --git a/intelmq/tests/bots/experts/modify/test_expert.py b/intelmq/tests/bots/experts/modify/test_expert.py
@@ -22,13 +22,15 @@
          {'feed.name': 'Abuse.ch',
           'feed.url': 'https://feodotracker.abuse.ch/blocklist/?download=domainblocklist'},
          {'malware.name': 'zeus_gameover_us'},
+         {'malware.name': 'sality-p2p'},
          {'malware.name': 'foobar', 'feed.name': 'Other Feed'},
          {'source.port': 80, 'malware.name': 'zeus'},
          ]
 OUTPUT = [{'classification.identifier': 'conficker'},
           {'classification.identifier': 'gozi'},
           {'classification.identifier': 'feodo'},
           {'classification.identifier': 'zeus'},
+          {'classification.identifier': 'sality'},
           {},
           {'protocol.application': 'http', 'classification.identifier': 'zeus'},
           ]