This repository has been archived by the owner on Sep 25, 2018. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Nick Lang
committed
Jul 20, 2018
1 parent
a5afab9
commit 3761979
Showing
12 changed files
with
187 additions
and
16 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -3,3 +3,4 @@ tmp/ | |
*.pyc | ||
venv/ | ||
__pycache__/ | ||
.idea |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
[submodule "data/yara-rules"] | ||
path = data/yara-rules | ||
url = https://github.com/Yara-Rules/rules.git |
Submodule yara-rules
added at
b496aa
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,12 +1,56 @@ | ||
FROM python:3.5 | ||
LABEL maintainer="PolySwarm Developers <info@polyswarm.io>" | ||
FROM alpine:3.7 | ||
LABEL maintainer "PolySwarm Developers <info@polyswarm.io>, original YARA-alpine Dockerfile taken from https://github.com/blacktop" | ||
ENV YARA_VERSION 3.7.1 | ||
ENV YARA_PY_VERSION 3.7.0 | ||
|
||
WORKDIR /usr/src/app | ||
## INSTALL YARA DEPS, BUILD YARA | ||
RUN apk add --no-cache openssl file jansson bison python python3 tini su-exec && python3 -m ensurepip &&\ | ||
pip3 install --upgrade pip setuptools && \ | ||
if [ ! -e /usr/bin/pip ]; then ln -s pip3 /usr/bin/pip ; fi && \ | ||
if [[ ! -e /usr/bin/python ]]; then ln -sf /usr/bin/python3 /usr/bin/python; fi | ||
RUN apk add --no-cache -t .build-deps py-setuptools \ | ||
openssl-dev \ | ||
jansson-dev \ | ||
python-dev \ | ||
python3-dev \ | ||
build-base \ | ||
libc-dev \ | ||
file-dev \ | ||
automake \ | ||
autoconf \ | ||
libtool \ | ||
flex \ | ||
git \ | ||
git \ | ||
&& set -x \ | ||
&& echo "Install Yara from source..." \ | ||
&& cd /tmp/ \ | ||
&& git clone --recursive --branch v$YARA_VERSION https://github.com/VirusTotal/yara.git \ | ||
&& cd /tmp/yara \ | ||
&& ./bootstrap.sh \ | ||
&& sync \ | ||
&& ./configure --with-crypto \ | ||
--enable-magic \ | ||
--enable-cuckoo \ | ||
--enable-dotnet \ | ||
&& make \ | ||
&& make install \ | ||
&& echo "Install yara-python..." \ | ||
&& cd /tmp/ \ | ||
&& git clone --recursive --branch v$YARA_PY_VERSION https://github.com/VirusTotal/yara-python \ | ||
&& cd yara-python \ | ||
&& python3 setup.py build --dynamic-linking \ | ||
&& python3 setup.py install \ | ||
&& echo "Make test_rule..." \ | ||
&& mkdir /rules \ | ||
&& echo "rule dummy { condition: true }" > /rules/test_rule \ | ||
&& rm -rf /tmp/* | ||
|
||
## COPY IN MICROENGINE FILES | ||
WORKDIR /usr/src/app | ||
COPY requirements.txt ./ | ||
RUN set -x && pip install --no-cache-dir -r requirements.txt | ||
|
||
COPY . . | ||
RUN set -x && pip install . | ||
RUN set -x && pip install --no-cache-dir -r requirements.txt | ||
|
||
## DONE | ||
CMD ["microengine"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
#!/bin/bash | ||
./scripts/wait_for_it.sh $POLYSWARMD_HOST:$POLYSWARMD_PORT -t 0 | ||
microengine --keyfile docker/keyfile --password password --backend multi |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,3 +1,3 @@ | ||
#!/bin/bash | ||
./scripts/wait_for_it.sh $POLYSWARMD_HOST:$POLYSWARMD_PORT -t 0 | ||
microengine | ||
microengine $* |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,71 @@ | ||
import yara | ||
from microengine import Microengine | ||
import tempfile | ||
import os | ||
import clamd | ||
from io import BytesIO | ||
|
||
# ClamAV config | ||
CLAMD_HOST = os.getenv('CLAMD_HOST', 'localhost') | ||
CLAMD_PORT = int(os.getenv('CLAMD_PORT', '3310')) | ||
CLAMD_TIMEOUT = 30.0 | ||
|
||
# Yara rules import | ||
RULES_DIR = 'data/yara-rules/' | ||
|
||
|
||
class MultiMicroengine(Microengine): | ||
"""Microengine which matches yara rules and scans samples through clamd""" | ||
|
||
def __init__(self, polyswarmd_addr, keyfile, password): | ||
"""Initialize a ClamAV/Yara microengine | ||
Args: | ||
polyswarmd_addr (str): Address of polyswarmd | ||
keyfile (str): Path to private key file to use to sign transactions | ||
password (str): Password to decrypt the encrypted private key | ||
""" | ||
super().__init__(polyswarmd_addr, keyfile, password) | ||
self.clamd = clamd.ClamdNetworkSocket(CLAMD_HOST, CLAMD_PORT, | ||
CLAMD_TIMEOUT) | ||
self.rules = yara.compile(RULES_DIR + "malware/MALW_Eicar") | ||
|
||
async def scan(self, guid, content): | ||
"""Scan an artifact with ClamAV + YARA | ||
Args: | ||
guid (str): GUID of the bounty under analysis, use to track artifacts in the same bounty | ||
content (bytes): Content of the artifact to be scan | ||
Returns: | ||
(bool, bool, str): Tuple of bit, verdict, metadata | ||
bit (bool): Whether to include this artifact in the assertion or not | ||
verdict (bool): Whether this artifact is malicious or not | ||
metadata (str): Optional metadata about this artifact | ||
""" | ||
|
||
yara_res = False | ||
clam_res = False | ||
yara_metadata = '' | ||
clam_metadata = '' | ||
|
||
# Yara rule matching | ||
matches = self.rules.match(data=content) | ||
if matches: | ||
yara_res = True | ||
|
||
# ClamAV scan | ||
result = self.clamd.instream(BytesIO(content)).get('stream') | ||
if len(result) >= 2 and result[0] == 'FOUND': | ||
clam_res = True | ||
clam_metadata = result[1] | ||
|
||
# We assert on all artifacts | ||
bit = True | ||
|
||
# If either finds a match, trust it and send it along | ||
# If not, assert it is benign | ||
verdict = yara_res or clam_res | ||
metadata = ' '.join([yara_metadata, clam_metadata]).strip() | ||
|
||
return bit, verdict, metadata |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,40 @@ | ||
import yara | ||
from microengine import Microengine | ||
import tempfile | ||
import os | ||
|
||
RULES_DIR = 'data/yara-rules/' | ||
|
||
|
||
class YaraMicroengine(Microengine): | ||
"""Microengine which matches samples against yara rules""" | ||
|
||
def __init__(self, polyswarmd_addr, keyfile, password): | ||
"""Initialize a Yara microengine | ||
Args: | ||
polyswarmd_addr (str): Address of polyswarmd | ||
keyfile (str): Path to private key file to use to sign transactions | ||
password (str): Password to decrypt the encrypted private key | ||
""" | ||
super().__init__(polyswarmd_addr, keyfile, password) | ||
self.rules = yara.compile(RULES_DIR + "malware/MALW_Eicar") | ||
|
||
async def scan(self, guid, content): | ||
"""Scan an artifact with YARA | ||
Args: | ||
guid (str): GUID of the bounty under analysis, use to track artifacts in the same bounty | ||
content (bytes): Content of the artifact to be scan | ||
Returns: | ||
(bool, bool, str): Tuple of bit, verdict, metadata | ||
bit (bool): Whether to include this artifact in the assertion or not | ||
verdict (bool): Whether this artifact is malicious or not | ||
metadata (str): Optional metadata about this artifact | ||
""" | ||
matches = self.rules.match(data=content) | ||
if matches: | ||
return True, True, '' | ||
|
||
return True, False, '' |