Update logic collision detection and add tests

Original author: @Taskr Original commit: PUNCH-Cyber/YaraGuardian@80b5316
plyara · Jun 5, 2018 · b563798 · b563798
1 parent 9d7f390
commit b563798
Show file tree

Hide file tree

Showing 3 changed files with 107 additions and 3 deletions.
diff --git a/plyara.py b/plyara.py
@@ -373,12 +373,12 @@ def generate_logic_hash(rule):
         for condition in conditions:
             # All string references (sort for consistency)
             if condition == 'them' or condition == '$*':
-                condition_mapping.append(u'<STRINGVALUES>' + u' | '.join(sorted_string_values))
+                condition_mapping.append(u'<STRINGVALUE>' + u' | '.join(sorted_string_values))
 
             elif condition.startswith('$') and condition != '$':
                 # Exact Match
                 if condition in string_mapping['named']:
-                    condition_mapping.append(u'<STRING>' + string_mapping['named'][condition])
+                    condition_mapping.append(u'<STRINGVALUE>' + string_mapping['named'][condition])
                 # Wildcard Match
                 elif '*' in condition:
                     wildcard_strings = []
@@ -390,7 +390,7 @@ def generate_logic_hash(rule):
                             wildcard_strings.append(value)
 
                     wildcard_strings.sort()
-                    condition_mapping.append(u'<STRINGVALUES>' + u' | '.join(wildcard_strings))
+                    condition_mapping.append(u'<STRINGVALUE>' + u' | '.join(wildcard_strings))
                 else:
                     logger.error(u'[!] Unhandled String Condition {}'.format(condition))
 

diff --git a/tests/data/logic_collision_ruleset.yar b/tests/data/logic_collision_ruleset.yar
@@ -0,0 +1,78 @@
+// This ruleset is used for unit tests - Modification will require test updates
+
+rule Set001_Rule001
+{
+    strings:
+        $a = "foobar"
+
+    condition:
+        $a
+}
+
+rule Set001_Rule002
+{
+    strings:
+        $b = "foobar"
+
+    condition:
+        $b
+}
+
+rule Set001_Rule003
+{
+    strings:
+        $aaa = "foobar"
+
+    condition:
+        $*
+}
+
+rule Set001_Rule004
+{
+    strings:
+        $ = "foobar"
+
+    condition:
+        $*
+}
+
+
+rule Set002_Rule001
+{
+    strings:
+        $b = "foo"
+        $a = "bar"
+
+    condition:
+        all of them
+}
+
+rule Set002_Rule002
+{
+    strings:
+        $b = "bar"
+        $a = "foo"
+
+    condition:
+        all of $*
+}
+
+rule Set002_Rule003
+{
+    strings:
+        $ = "bar"
+        $ = "foo"
+
+    condition:
+        all of $*
+}
+
+rule Set002_Rule004
+{
+    strings:
+        $ = "bar"
+        $ = "foo"
+
+    condition:
+        all of them
+}
diff --git a/tests/unit_tests.py b/tests/unit_tests.py
@@ -9,6 +9,32 @@
 
 UNHANDLED_RULE_MSG = "Unhandled Test Rule: {}"
 
+class TestStaticMethods(unittest.TestCase):
+
+    def test_logic_hash_generator(self):
+        with open('tests/data/logic_collision_ruleset.yar', 'r') as f:
+            inputString = f.read()
+
+        result = Plyara().parse_string(inputString)
+
+        rule_mapping = {}
+
+        for entry in result:
+            rulename = entry['rule_name']
+            setname, _ = rulename.split('_')
+            rulehash = Plyara.generate_logic_hash(entry)
+
+            if setname not in rule_mapping:
+                rule_mapping[setname] = [rulehash]
+            else:
+                rule_mapping[setname].append(rulehash)
+
+        for setname, hashvalues in rule_mapping.items():
+
+            if not len(set(hashvalues)) == 1:
+                raise AssertionError("Collision detection failure for {}".format(setname))
+
+
 class TestRuleParser(unittest.TestCase):
 
     def setUp(self):