Source code for workbench.workers.yara_sigs
''' Yara worker '''
import os
import yara
import pprint
import collections
# We want to load this once per module load
def get_rules_from_disk():
[docs] ''' Recursively traverse the yara/rules directory for rules '''
# Try to find the yara rules directory relative to the worker
my_dir = os.path.dirname(os.path.realpath(__file__))
yara_rule_path = os.path.join(my_dir, 'yara/rules')
if not os.path.exists(yara_rule_path):
raise RuntimeError('yara could not find yara rules directory under: %s' % my_dir)
# Okay load in all the rules under the yara rule path
rules = yara.load_rules(rules_rootpath=yara_rule_path, fast_match=True)
return rules
YARA_RULES = get_rules_from_disk()
class YaraSigs(object):
[docs] ''' This worker check for matches against yara sigs.
Output keys: [matches:list of matches] '''
dependencies = ['sample']
def __init__(self):
self.rules = YARA_RULES
def execute(self, input_data):
[docs] ''' yara worker execute method '''
raw_bytes = input_data['sample']['raw_bytes']
matches = self.rules.match_data(raw_bytes)
# The matches data is organized in the following way
# {'filename1': [match_list], 'filename2': [match_list]}
# match_list = list of match
# match = {'meta':{'description':'blah}, tags=[], matches:True,
# strings:[string_list]}
# string = {'flags':blah, 'identifier':'$', 'data': FindWindow, 'offset'}
#
# So we're going to flatten a bit (shrug)
# {filename_match_meta_description: string_list}
flat_data = collections.defaultdict(list)
for filename, match_list in matches.iteritems():
for match in match_list:
if 'description' in match['meta']:
new_tag = filename+'_'+match['meta']['description']
else:
new_tag = filename+'_'+match['rule']
for match in match['strings']:
flat_data[new_tag].append(match['data'])
# Remove duplicates
flat_data[new_tag] = list(set(flat_data[new_tag]))
return {'matches': flat_data}
# Unit test: Create the class, the proper input and run the execute() method for a test
def test():
[docs] ''' yara_sigs.py: Unit test'''
# This worker test requires a local server running
import zerorpc
workbench = zerorpc.Client(timeout=300, heartbeat=60)
workbench.connect("tcp://127.0.0.1:4242")
# Test a file with known yara sigs
data_path = os.path.join(os.path.dirname(os.path.realpath(__file__)), '../data/pe/bad/auriga.exe')
with open(data_path,'rb') as pe_file:
base_name = os.path.basename(data_path)
md5 = workbench.store_sample(pe_file.read(), base_name, 'exe')
# Grab the sample from workbench
input_data = workbench.get_sample(md5)
# Execute the worker (unit test)
worker = YaraSigs()
output = worker.execute(input_data)
print '\n<<< Unit Test >>>'
pprint.pprint(output)
# Execute the worker (server test)
output = workbench.work_request('yara_sigs', md5)
print '\n<<< Server Test >>>'
pprint.pprint(output)
if __name__ == "__main__":
test()