rules added to install script, IPv6 rule bug fixed

8e80e136 · Peter Weidenbach · 10ddc58c · 8e80e136 · 8e80e136 · 8e80e136
Commit 8e80e136 authored Jul 27, 2017 by Peter Weidenbach
4 changed files
--- a/common_analysis_ip_and_uri_finder/ip_and_uri_finder_analysis.py
+++ b/common_analysis_ip_and_uri_finder/ip_and_uri_finder_analysis.py
 from common_analysis_base import AnalysisPluginFile
-import socket
+from common_helper_files import get_dir_of_file
-from sys import exit, exc_info
 import logging
+import os
-try:
+import socket
-    import yara
+from sys import exc_info
-except ImportError:
+import yara
-    yara = None
-    exit("yara not found. please install yara")
 logger = logging.getLogger('CommonAnalysisIPAndURIFinder')
 logger.setLevel(logging.INFO)
-system_version = "0.3"
+system_version = "0.4"
 class FinderBase:
@@ -119,10 +116,32 @@ class URIFinder(FinderBase):
 class CommonAnalysisIPAndURIFinder(AnalysisPluginFile):
    def __init__(self, yara_uri_rules=None, yara_ip_rules=None):
        super(CommonAnalysisIPAndURIFinder, self).__init__(system_version)
-        self.yara_uri_rules = yara_uri_rules
+        self._set_rule_file_pathes(yara_uri_rules, yara_ip_rules)
-        self.yara_ip_rules = yara_ip_rules
+        self._check_for_errors()
+    def _set_rule_file_pathes(self, yara_uri_rules, yara_ip_rules):
+        internal_signature_dir = os.path.join(get_dir_of_file(__file__), 'yara_rules')
+        if yara_ip_rules is None:
+            self.yara_ip_rules = os.path.join(internal_signature_dir, 'ip_rules.yara')
+        else:
+            self.yara_ip_rules = yara_ip_rules
+        if yara_uri_rules is None:
+            self.yara_uri_rules = os.path.join(internal_signature_dir, 'uri_rules.yara')
+        else:
+            self.yara_uri_rules = yara_uri_rules
+    def _check_for_errors(self):
+        if os.path.exists(self.yara_ip_rules):
+            logging.info('ip signature path: {}'.format(self.yara_ip_rules))
+        else:
+            logging.error('ip signatures not found: {}'.format(self.yara_ip_rules))
+        if os.path.exists(self.yara_uri_rules):
+            logging.info('ip signature path: {}'.format(self.yara_uri_rules))
+        else:
+            logging.error('ip signatures not found: {}'.format(self.yara_uri_rules))
    def analyze_file(self, file_path, separate_ipv6=False):
        found_uris, found_ips_v4, found_ips_v6 = [], [], []

--- a/common_analysis_ip_and_uri_finder/tests/test_ip_and_uri_finder.py
+++ b/common_analysis_ip_and_uri_finder/tests/test_ip_and_uri_finder.py
@@ -19,8 +19,7 @@ class TestIpAndUrlFinder(unittest.TestCase):
    def setUp(self):
        self.yara_uri_rules = find_file('uri_rules.yara')
        self.yara_ip_rules = find_file('ip_rules.yara')
-        self.test_string = "1.2.3.4 abc 123.123.123.123 abc 1.2.3 .4 abc 1.1234.1.1 abc 1.a.1.1" \
+        self.test_string = "1.2.3.4 abc 123.123.123.123 abc 1.2.3 .4 abc 1.1234.1.1 abc 1.a.1.1 1234:1234:abcd:abcd:1234:1234:abcd:abcd 2001:db8:0:8d3:0:8a2e:70:7344 "
-                           "1234:1234:abcd:abcd:1234:1234:abcd:abcd 2001:db8:0:8d3:0:8a2e:70:7344"
    def test_find_ips(self):
        results = IPFinder(self.yara_ip_rules).find_ips(self.test_string, validate=False)

--- a/common_analysis_ip_and_uri_finder/yara_rules/ip_rules.yara
+++ b/common_analysis_ip_and_uri_finder/yara_rules/ip_rules.yara
@@ -8,7 +8,7 @@ rule IPv4 {
 rule IPv6 {
    strings:
-        $a = /([\da-fA-F]{1,4})?\:([\da-fA-F]{1,4})?\:(([\da-fA-F]{1,4})?\:){0,5}([\da-fA-F]{1,4})?/
+        $a = /([\da-fA-F]{1,4})?\:([\da-fA-F]{1,4})?\:(([\da-fA-F]{1,4})?\:){0,6}([\da-fA-F]{1,4})?/
        $b = /([\da-fA-F]{1,4})?\:([\da-fA-F]{1,4})?\:(([\da-fA-F]{1,4})?\:){0,5}[\d]{1,3}(\.[\d]{1,3}){3}/
    condition:

--- a/setup.py
+++ b/setup.py
@@ -8,10 +8,16 @@ setup(
    packages=find_packages(),
    install_requires=[
        'common_analysis_base',
+        'common_helper_files',
        'yara-python >= 3.5'
    ],
+    data_files=[('common_analysis_ip_and_uri_finder/yara_rules', [
+        'common_analysis_ip_and_uri_finder/yara_rules/ip_rules.yara',
+        'common_analysis_ip_and_uri_finder/yara_rules/uri_rules.yara',
+        ])],
    dependency_links=[
-        'git+https://github.com/mass-project/common_analysis_base.git#common_analysis_base'
+        'git+https://github.com/mass-project/common_analysis_base.git#common_analysis_base',
+        'git+https://github.com/fkie-cad/common_helper_files.git#common_helper_files'
    ],
    description="Analysis module to find IPs und URIs",
    author="Fraunhofer FKIE, University of Bonn Institute of Computer Science 4",