-
Notifications
You must be signed in to change notification settings - Fork 36
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* Fix Codacity warning. Best practice: https://docs.python.org/3.8/tutorial/modules.html#importing-from-a-package * Fixes #70 * Revert last change * Fixes #71 * Remove deprecated methods in preparation for major release. * Fixes #72 * Fixes #74 * Fixes #75 * Fixes #76 * Fixes #77 * Fixes #78 * Test the actual command line not the script * Remove unused import * Add full coverage for generate_logic_hash * Deprecate rule rebuilding. This function needs to be reworked. This function does not work on many rulesets and rules. * Fix docstyle problem * Actually fix docstring problem. * Separate parser to function in preparation for unit testing * Improved path * Refactor CLI unit test. Fixes #82 * Add unit test for no error * Fix docstring problem * Change to multiline assert * Use hashlib to test CLI output * Change hash to correct * Add both possible hashes This is a workaround for what appears to be a bug in unittest. * Fixes #83 * Make example executable * This works from command line.
- Loading branch information
Showing
8 changed files
with
566 additions
and
335 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,109 +1,67 @@ | ||
"""Example script that demonstrates using plyara.""" | ||
import argparse | ||
import operator | ||
import os | ||
import sys | ||
import codecs | ||
|
||
sys.path.insert(0, os.getcwd()) | ||
import plyara | ||
|
||
|
||
if __name__ == '__main__': | ||
def example(): | ||
"""Execute the example code.""" | ||
parser = argparse.ArgumentParser() | ||
parser.add_argument('file', metavar='FILE', help='File containing YARA rules to parse.') | ||
args = parser.parse_args() | ||
|
||
print('Parsing file...') | ||
with open(args.file, 'r') as fh: | ||
data = fh.read() | ||
|
||
parser = plyara.Plyara() | ||
rules_dict = parser.parse_string(data) | ||
print('Analyzing dictionary...') | ||
|
||
imps = {} | ||
tags = {} | ||
rule_count = 0 | ||
|
||
for rule in rules_dict: | ||
rule_count += 1 | ||
|
||
# Imports | ||
if 'imports' in rule: | ||
for imp in rule['imports']: | ||
imp = imp.replace('"', '') | ||
if imp in imps: | ||
imps[imp] += 1 | ||
else: | ||
imps[imp] = 1 | ||
|
||
# Tags | ||
if 'tags' in rule: | ||
for tag in rule['tags']: | ||
if tag in tags: | ||
tags[tag] += 1 | ||
else: | ||
tags[tag] = 1 | ||
|
||
file_to_analyze = sys.argv[1] | ||
|
||
print("...parsing file...") | ||
rulesDict = plyara.Plyara().parse_string(codecs.open(file_to_analyze, encoding='utf-8').read()) | ||
print("...analyzing dictionary...") | ||
|
||
authors = {} | ||
imps = {} | ||
meta_keys = {} | ||
max_strings = [] | ||
max_string_len = 0 | ||
tags = {} | ||
rule_count = 0 | ||
|
||
for rule in rulesDict: | ||
rule_count += 1 | ||
|
||
#Imports | ||
if 'imports' in rule: | ||
for imp in rule['imports']: | ||
imp = imp.replace('"','') | ||
if imp in imps: | ||
imps[imp] += 1 | ||
else: | ||
imps[imp] = 1 | ||
|
||
#Tags | ||
if 'tags' in rule: | ||
for tag in rule['tags']: | ||
if tag in tags: | ||
tags[tag] += 1 | ||
else: | ||
tags[tag] = 1 | ||
|
||
#Metadata | ||
if 'metadata' in rule: | ||
for key in rule['metadata']: | ||
if key in meta_keys: | ||
meta_keys[key] += 1 | ||
else: | ||
meta_keys[key] = 1 | ||
if key in ['Author', 'author']: | ||
if rule['metadata'][key] in authors: | ||
authors[rule['metadata'][key]] += 1 | ||
else: | ||
authors[rule['metadata'][key]] = 1 | ||
|
||
#Strings | ||
if 'strings' in rule: | ||
for strr in rule['strings']: | ||
if len(strr['value']) > max_string_len: | ||
max_string_len = len(strr['value']) | ||
max_strings = [(rule['rule_name'], strr['name'], strr['value'])] | ||
elif len(strr['value']) == max_string_len: | ||
max_strings.append((rule['rule_name'], strr['key'], strr['value'])) | ||
|
||
|
||
|
||
print("\nNumber of rules in file: " + str(rule_count)) | ||
|
||
ordered_meta_keys = sorted(meta_keys.items(), | ||
key=operator.itemgetter(1), reverse=True) | ||
|
||
ordered_authors = sorted(authors.items(), | ||
key=operator.itemgetter(1), reverse=True) | ||
|
||
ordered_imps = sorted(imps.items(), | ||
key=operator.itemgetter(1), reverse=True) | ||
|
||
ordered_tags = sorted(tags.items(), | ||
key=operator.itemgetter(1), reverse=True) | ||
|
||
print("\nTop 5 metadata keys:") | ||
for i in range(5): | ||
if i < len(ordered_meta_keys): | ||
print(ordered_meta_keys[i]) | ||
|
||
print("\nTop 5 authors based on parsed metadata:") | ||
for i in range(5): | ||
if i < len(ordered_authors): | ||
print(ordered_authors[i]) | ||
|
||
print('\nLongest string(s): ') | ||
for s in max_strings: | ||
print('string named "' + s[1] +'" in rule "'+ s[0] | ||
+ '" with length ' + str(max_string_len) + '.') | ||
|
||
print("\nTop imports: ") | ||
for i in range(5): | ||
if i < len(ordered_imps): | ||
print(ordered_imps[i]) | ||
|
||
print("\nTop tags") | ||
for i in range(5): | ||
if i < len(ordered_tags): | ||
print(ordered_tags[i]) | ||
|
||
print("\n") | ||
print('\n======================\n') | ||
print('Number of rules in file: {}'.format(rule_count)) | ||
|
||
ordered_imps = sorted(imps.items(), key=operator.itemgetter(1), reverse=True) | ||
|
||
ordered_tags = sorted(tags.items(), key=operator.itemgetter(1), reverse=True) | ||
|
||
print('\n======================\n') | ||
print('Top imports:') | ||
for i in range(5): | ||
if i < len(ordered_imps): | ||
print(ordered_imps[i]) | ||
|
||
print('\n======================\n') | ||
print('Top tags:') | ||
for i in range(5): | ||
if i < len(ordered_tags): | ||
print(ordered_tags[i]) | ||
|
||
|
||
if __name__ == '__main__': | ||
example() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.