Fetching contributors…
Cannot retrieve contributors at this time
105 lines (75 sloc) 2.77 KB
package CIF::Archive::Analytic::Plugin::ResolveMalware;
use 5.008008;
use strict;
use warnings;
sub process {
my $class = shift;
my $data = shift;
my $config = shift;
my $archive = shift;
return unless($data->{'impact'});
return if($data->{'impact'} eq 'malware');
return unless($data->{'malware_md5'});
my $md5 = $data->{'malware_md5'};
# add TC malware hash lookup here....
require Net::DNS::Resolver;
my $res = Net::DNS::Resolver->new();
my $q = $md5.'';
my $pkt = $res->send($q,'TXT');
my $description = $data->{'description'};
if(my @results = $pkt->answer()){
my $rdata = $results[0]->txtdata();
my ($dt,$rate) = split(/\s/,$rdata);
$description = $description.' -- detection rate: '.$rate.'%';
$description = $data->{'impact'}.' '.$description;
my ($err,$id) = $archive->insert({
source => $data->{'source'},
relatedid => $data->{'uuid'},
guid => $data->{'guid'},
impact => 'malware',
description => $description,
md5 => $data->{'malware_md5'},
sha1 => $data->{'malware_sha1'},
severity => $data->{'severity'},
confidence => $data->{'confidence'},
source => $data->{'source'},
restriction => $data->{'restriction'},
alternativeid => $data->{'alternativeid'},
alternativeid_restriction => $data->{'alternativeid_restriction'},
warn $err if($err);
warn $id->{'uuid'} if($::debug && $id);
# Below is stub documentation for your module. You'd better edit it!
=head1 NAME
CIF::Archive::Analytic::Plugin::ResolveMalware - Perl extension for blah blah blah
use CIF::Archive::Analytic::Plugin::ResolveMalware;
blah blah blah
Stub documentation for CIF::Archive::Analytic::Plugin::ResolveMalware, created by h2xs. It looks like the
author of the extension was negligent enough to leave the stub
Blah blah blah.
=head2 EXPORT
None by default.
=head1 SEE ALSO
Mention other useful documentation such as the documentation of
related modules or operating system documentation (such as man pages
in UNIX), or any relevant external documentation such as RFCs or
If you have a mailing list set up for your module, mention it here.
If you have a web site set up for your module, mention it here.
=head1 AUTHOR
Wes Young, E<lt>wes@E<gt>
Copyright (C) 2011 by Wes Young
This library is free software; you can redistribute it and/or modify
it under the same terms as Perl itself, either Perl version 5.10.0 or,
at your option, any later version of Perl 5 you may have available.