This repository has been archived by the owner on Dec 26, 2022. It is now read-only.
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add a simpler analyzer, which is also now successfully emitting Execu…
…tionHits! (#2093) * Add a simpler analyzer * fix the graph query proxy in hax_docker_analyzer * timestamp in logger * Okay i have exceptiosn printing out yay * oh snap i have execution hits! * cleanup * formatting * one simplification * clean up further * fix lint
- Loading branch information
1 parent
8ebbe8a
commit e87fbd0
Showing
14 changed files
with
169 additions
and
17 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
81 changes: 81 additions & 0 deletions
81
src/python/grapl-plugin-sdk/example_analyzers/process_named_svchost.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,81 @@ | ||
""" | ||
This is meant as an extremely simple Analyzer to get the pipeline to fire | ||
during integration tests. | ||
""" | ||
from datetime import datetime | ||
|
||
from grapl_plugin_sdk.analyzer.analyzer import ( | ||
Analyzer, | ||
AnalyzerContext, | ||
AnalyzerServiceConfig, | ||
serve_analyzer, | ||
) | ||
from grapl_plugin_sdk.analyzer.query_and_views import NodeQuery, NodeView | ||
from python_proto.api.graph_query.v1beta1.messages import ( | ||
NodePropertyQuery, | ||
StringFilter, | ||
StringOperation, | ||
) | ||
from python_proto.api.plugin_sdk.analyzers.v1beta1.messages import ( | ||
AnalyzerName, | ||
ExecutionHit, | ||
) | ||
from python_proto.common import Timestamp | ||
from python_proto.grapl.common.v1beta1.messages import NodeType, PropertyName | ||
|
||
|
||
class ProcessNamedSvchost(Analyzer): | ||
@staticmethod | ||
def query() -> NodeQuery: | ||
# Describes a Process where `process_name` = `svchost.exe` | ||
node_query = NodeQuery( | ||
NodePropertyQuery(node_type=NodeType(value="Process")) | ||
).with_string_filters( | ||
property_name=PropertyName(value="process_name"), | ||
filters=[ | ||
StringFilter( | ||
operation=StringOperation.EQUAL, | ||
value="svchost.exe", | ||
negated=False, | ||
) | ||
], | ||
) | ||
|
||
return node_query | ||
|
||
async def analyze( | ||
self, matched: NodeView, ctx: AnalyzerContext | ||
) -> ExecutionHit | None: | ||
print(f"analyze() was called: {matched}") | ||
return ExecutionHit( | ||
graph_view=matched.graph, | ||
lens_refs=[], | ||
idempotency_key=12345, # ??? | ||
time_of_match=Timestamp.from_datetime(datetime.utcnow()), | ||
score=100, | ||
# implies the return type here should not be the pure python-proto type | ||
# https://github.com/grapl-security/issue-tracker/issues/1032 | ||
analyzer_name=AnalyzerName( | ||
"TODO: This should be set by AnalyzerServiceImpl" | ||
), | ||
) | ||
|
||
async def add_context(self, matched: NodeView, ctx: AnalyzerContext) -> None: | ||
pass | ||
|
||
|
||
def main() -> None: | ||
""" | ||
main() is invoked by the pex_binary() entrypoint= | ||
""" | ||
analyzer = ProcessNamedSvchost() | ||
# Perhaps `serve_analyzer` should just take `(analyzer=analyzer)`? | ||
# We shouldn't pass on the `AnalyzerServiceConfig` to the consumer, right? | ||
# https://github.com/grapl-security/issue-tracker/issues/1032 | ||
serve_analyzer( | ||
analyzer_name=AnalyzerName( | ||
value="suspicious_svchost" | ||
), # Why is this configured here? | ||
analyzer=analyzer, | ||
service_config=AnalyzerServiceConfig.from_env(), | ||
) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters