Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
C
common_analysis_ip_and_uri
Overview
Overview
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
fact-depend
common_analysis_ip_and_uri
Commits
8e80e136
Commit
8e80e136
authored
7 years ago
by
Peter Weidenbach
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
rules added to install script, IPv6 rule bug fixed
parent
10ddc58c
master
…
0.4.1
0.4
No related merge requests found
Hide whitespace changes
Inline
Side-by-side
Showing
4 changed files
with
39 additions
and
15 deletions
+39
-15
ip_and_uri_finder_analysis.py
..._analysis_ip_and_uri_finder/ip_and_uri_finder_analysis.py
+30
-11
test_ip_and_uri_finder.py
...nalysis_ip_and_uri_finder/tests/test_ip_and_uri_finder.py
+1
-2
ip_rules.yara
common_analysis_ip_and_uri_finder/yara_rules/ip_rules.yara
+1
-1
setup.py
setup.py
+7
-1
No files found.
common_analysis_ip_and_uri_finder/ip_and_uri_finder_analysis.py
View file @
8e80e136
from
common_analysis_base
import
AnalysisPluginFile
import
socket
from
sys
import
exit
,
exc_info
from
common_helper_files
import
get_dir_of_file
import
logging
try
:
import
yara
except
ImportError
:
yara
=
None
exit
(
"yara not found. please install yara"
)
import
os
import
socket
from
sys
import
exc_info
import
yara
logger
=
logging
.
getLogger
(
'CommonAnalysisIPAndURIFinder'
)
logger
.
setLevel
(
logging
.
INFO
)
system_version
=
"0.
3
"
system_version
=
"0.
4
"
class
FinderBase
:
...
...
@@ -119,10 +116,32 @@ class URIFinder(FinderBase):
class
CommonAnalysisIPAndURIFinder
(
AnalysisPluginFile
):
def
__init__
(
self
,
yara_uri_rules
=
None
,
yara_ip_rules
=
None
):
super
(
CommonAnalysisIPAndURIFinder
,
self
)
.
__init__
(
system_version
)
self
.
yara_uri_rules
=
yara_uri_rules
self
.
yara_ip_rules
=
yara_ip_rules
self
.
_set_rule_file_pathes
(
yara_uri_rules
,
yara_ip_rules
)
self
.
_check_for_errors
()
def
_set_rule_file_pathes
(
self
,
yara_uri_rules
,
yara_ip_rules
):
internal_signature_dir
=
os
.
path
.
join
(
get_dir_of_file
(
__file__
),
'yara_rules'
)
if
yara_ip_rules
is
None
:
self
.
yara_ip_rules
=
os
.
path
.
join
(
internal_signature_dir
,
'ip_rules.yara'
)
else
:
self
.
yara_ip_rules
=
yara_ip_rules
if
yara_uri_rules
is
None
:
self
.
yara_uri_rules
=
os
.
path
.
join
(
internal_signature_dir
,
'uri_rules.yara'
)
else
:
self
.
yara_uri_rules
=
yara_uri_rules
def
_check_for_errors
(
self
):
if
os
.
path
.
exists
(
self
.
yara_ip_rules
):
logging
.
info
(
'ip signature path: {}'
.
format
(
self
.
yara_ip_rules
))
else
:
logging
.
error
(
'ip signatures not found: {}'
.
format
(
self
.
yara_ip_rules
))
if
os
.
path
.
exists
(
self
.
yara_uri_rules
):
logging
.
info
(
'ip signature path: {}'
.
format
(
self
.
yara_uri_rules
))
else
:
logging
.
error
(
'ip signatures not found: {}'
.
format
(
self
.
yara_uri_rules
))
def
analyze_file
(
self
,
file_path
,
separate_ipv6
=
False
):
found_uris
,
found_ips_v4
,
found_ips_v6
=
[],
[],
[]
...
...
This diff is collapsed.
Click to expand it.
common_analysis_ip_and_uri_finder/tests/test_ip_and_uri_finder.py
View file @
8e80e136
...
...
@@ -19,8 +19,7 @@ class TestIpAndUrlFinder(unittest.TestCase):
def
setUp
(
self
):
self
.
yara_uri_rules
=
find_file
(
'uri_rules.yara'
)
self
.
yara_ip_rules
=
find_file
(
'ip_rules.yara'
)
self
.
test_string
=
"1.2.3.4 abc 123.123.123.123 abc 1.2.3 .4 abc 1.1234.1.1 abc 1.a.1.1"
\
"1234:1234:abcd:abcd:1234:1234:abcd:abcd 2001:db8:0:8d3:0:8a2e:70:7344"
self
.
test_string
=
"1.2.3.4 abc 123.123.123.123 abc 1.2.3 .4 abc 1.1234.1.1 abc 1.a.1.1 1234:1234:abcd:abcd:1234:1234:abcd:abcd 2001:db8:0:8d3:0:8a2e:70:7344 "
def
test_find_ips
(
self
):
results
=
IPFinder
(
self
.
yara_ip_rules
)
.
find_ips
(
self
.
test_string
,
validate
=
False
)
...
...
This diff is collapsed.
Click to expand it.
common_analysis_ip_and_uri_finder/yara_rules/ip_rules.yara
View file @
8e80e136
...
...
@@ -8,7 +8,7 @@ rule IPv4 {
rule IPv6 {
strings:
$a = /([\da-fA-F]{1,4})?\:([\da-fA-F]{1,4})?\:(([\da-fA-F]{1,4})?\:){0,
5
}([\da-fA-F]{1,4})?/
$a = /([\da-fA-F]{1,4})?\:([\da-fA-F]{1,4})?\:(([\da-fA-F]{1,4})?\:){0,
6
}([\da-fA-F]{1,4})?/
$b = /([\da-fA-F]{1,4})?\:([\da-fA-F]{1,4})?\:(([\da-fA-F]{1,4})?\:){0,5}[\d]{1,3}(\.[\d]{1,3}){3}/
condition:
...
...
This diff is collapsed.
Click to expand it.
setup.py
View file @
8e80e136
...
...
@@ -8,10 +8,16 @@ setup(
packages
=
find_packages
(),
install_requires
=
[
'common_analysis_base'
,
'common_helper_files'
,
'yara-python >= 3.5'
],
data_files
=
[(
'common_analysis_ip_and_uri_finder/yara_rules'
,
[
'common_analysis_ip_and_uri_finder/yara_rules/ip_rules.yara'
,
'common_analysis_ip_and_uri_finder/yara_rules/uri_rules.yara'
,
])],
dependency_links
=
[
'git+https://github.com/mass-project/common_analysis_base.git#common_analysis_base'
'git+https://github.com/mass-project/common_analysis_base.git#common_analysis_base'
,
'git+https://github.com/fkie-cad/common_helper_files.git#common_helper_files'
],
description
=
"Analysis module to find IPs und URIs"
,
author
=
"Fraunhofer FKIE, University of Bonn Institute of Computer Science 4"
,
...
...
This diff is collapsed.
Click to expand it.
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment
