chg: [pgpdump] check trackers on extracted metadata

This commit is contained in:
Terrtia 2022-09-14 11:41:24 +02:00
parent 1372b1ef68
commit f8f785970f
No known key found for this signature in database
GPG key ID: 1E1B1F50D84613D0
4 changed files with 26 additions and 6 deletions

View file

@ -24,6 +24,10 @@ from packages import Paste
from packages import Pgp from packages import Pgp
from trackers.Tracker_Term import Tracker_Term
from trackers.Tracker_Regex import Tracker_Regex
from trackers.Tracker_Yara import Tracker_Yara
class TimeoutException(Exception): class TimeoutException(Exception):
pass pass
@ -152,6 +156,10 @@ if __name__ == '__main__':
#config_section = 'PgpDump' #config_section = 'PgpDump'
config_section = 'PgpDump' config_section = 'PgpDump'
tracker_module_term = Tracker_Term()
tracker_module_regex = Tracker_Regex()
tracker_module_yara = Tracker_Yara()
# Setup the I/O queues # Setup the I/O queues
p = Process(config_section) p = Process(config_section)
@ -245,7 +253,13 @@ if __name__ == '__main__':
for name_id in set_name: for name_id in set_name:
print(name_id) print(name_id)
Pgp.pgp.save_item_correlation('name', name_id, message, item_date) Pgp.pgp.save_item_correlation('name', name_id, message, item_date)
tracker_module_term.compute(message, item_content=name_id)
tracker_module_regex.compute(message, item_content=name_id)
tracker_module_yara.compute(message, item_content=name_id)
for mail_id in set_mail: for mail_id in set_mail:
print(mail_id) print(mail_id)
Pgp.pgp.save_item_correlation('mail', mail_id, message, item_date) Pgp.pgp.save_item_correlation('mail', mail_id, message, item_date)
tracker_module_term.compute(message, item_content=name_id)
tracker_module_regex.compute(message, item_content=name_id)
tracker_module_yara.compute(message, item_content=name_id)

View file

@ -50,7 +50,7 @@ class Tracker_Regex(AbstractModule):
self.redis_logger.info(f"Module: {self.module_name} Launched") self.redis_logger.info(f"Module: {self.module_name} Launched")
def compute(self, item_id): def compute(self, item_id, item_content=None):
# refresh Tracked regex # refresh Tracked regex
if self.last_refresh < Tracker.get_tracker_last_updated_by_type('regex'): if self.last_refresh < Tracker.get_tracker_last_updated_by_type('regex'):
self.dict_regex_tracked = Term.get_regex_tracked_words_dict() self.dict_regex_tracked = Term.get_regex_tracked_words_dict()
@ -60,6 +60,7 @@ class Tracker_Regex(AbstractModule):
item = Item(item_id) item = Item(item_id)
item_id = item.get_id() item_id = item.get_id()
if not item_content:
item_content = item.get_content() item_content = item.get_content()
for regex in self.dict_regex_tracked: for regex in self.dict_regex_tracked:

View file

@ -61,7 +61,7 @@ class Tracker_Term(AbstractModule):
self.redis_logger.info(f"Module: {self.module_name} Launched") self.redis_logger.info(f"Module: {self.module_name} Launched")
def compute(self, item_id): def compute(self, item_id, item_content=None):
# refresh Tracked term # refresh Tracked term
if self.last_refresh_word < Term.get_tracked_term_last_updated_by_type('word'): if self.last_refresh_word < Term.get_tracked_term_last_updated_by_type('word'):
self.list_tracked_words = Term.get_tracked_words_list() self.list_tracked_words = Term.get_tracked_words_list()
@ -78,6 +78,7 @@ class Tracker_Term(AbstractModule):
# Cast message as Item # Cast message as Item
item = Item(item_id) item = Item(item_id)
item_date = item.get_date() item_date = item.get_date()
if not item_content:
item_content = item.get_content() item_content = item.get_content()
signal.alarm(self.max_execution_time) signal.alarm(self.max_execution_time)

View file

@ -47,7 +47,7 @@ class Tracker_Yara(AbstractModule):
self.redis_logger.info(f"Module: {self.module_name} Launched") self.redis_logger.info(f"Module: {self.module_name} Launched")
def compute(self, item_id): def compute(self, item_id, item_content=None):
# refresh YARA list # refresh YARA list
if self.last_refresh < Tracker.get_tracker_last_updated_by_type('yara'): if self.last_refresh < Tracker.get_tracker_last_updated_by_type('yara'):
self.rules = Tracker.reload_yara_rules() self.rules = Tracker.reload_yara_rules()
@ -56,7 +56,11 @@ class Tracker_Yara(AbstractModule):
print('Tracked set refreshed') print('Tracked set refreshed')
self.item = Item(item_id) self.item = Item(item_id)
if not item_content:
item_content = self.item.get_content() item_content = self.item.get_content()
try: try:
yara_match = self.rules.match(data=item_content, callback=self.yara_rules_match, which_callbacks=yara.CALLBACK_MATCHES, timeout=60) yara_match = self.rules.match(data=item_content, callback=self.yara_rules_match, which_callbacks=yara.CALLBACK_MATCHES, timeout=60)
if yara_match: if yara_match: