1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
|
###############################################################################
# #
# Peekaboo Extended Email Attachment Behavior Observation Owl #
# #
# ruleset/ #
# engine.py #
###############################################################################
# #
# Copyright (C) 2016-2019 science + computing ag #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
# the Free Software Foundation, either version 3 of the License, or (at #
# your option) any later version. #
# #
# This program is distributed in the hope that it will be useful, but #
# WITHOUT ANY WARRANTY; without even the implied warranty of #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU #
# General Public License for more details. #
# #
# You should have received a copy of the GNU General Public License #
# along with this program. If not, see <http://www.gnu.org/licenses/>. #
# #
###############################################################################
import logging
from peekaboo.ruleset import Result, RuleResult
from peekaboo.ruleset.rules import *
from peekaboo.toolbox.peekabooyar import ContainsPeekabooYarRule
from peekaboo.exceptions import PeekabooAnalysisDeferred
logger = logging.getLogger(__name__)
class RulesetEngine(object):
"""
Peekaboo's ruleset engine.
@author: Sebastian Deiss
@since: 1.6
"""
rules = [
KnownRule,
FileLargerThanRule,
FileTypeOnWhitelistRule,
FileTypeOnGreylistRule,
CuckooEvilSigRule,
CuckooScoreRule,
OfficeMacroRule,
RequestsEvilDomainRule,
CuckooAnalysisFailedRule,
ContainsPeekabooYarRule,
FinalRule
]
def __init__(self, sample, ruleset_config, db_con):
self.sample = sample
self.config = ruleset_config
self.db_con = db_con
def run(self):
for rule in RulesetEngine.rules:
result = self.__exec_rule(self.sample, rule)
if not result.further_analysis:
return
logger.info("Rules evaluated")
def __exec_rule(self, sample, rule_class):
"""
rule wrapper for in/out logging and reporting
"""
rule_name = rule_class.rule_name
logger.debug("Processing rule '%s' for %s" % (rule_name, sample))
try:
# skip disabled rules.
if self.config.rule_enabled(rule_name):
rule_config = self.config.rule_config(rule_name)
rule = rule_class(config=rule_config, db_con=self.db_con)
result = rule.evaluate(sample)
else:
logger.debug("Rule '%s' is disabled." % rule_name)
result = RuleResult(
rule_name, result=Result.unchecked,
reason=_("Rule '%s' is disabled.") % rule_name,
further_analysis=True)
sample.add_rule_result(result)
except PeekabooAnalysisDeferred:
# in case the Sample is requesting the Cuckoo report
raise
# catch all other exceptions for this rule
except Exception as e:
logger.warning("Unexpected error in '%s' for %s" % (rule_name,
sample))
logger.exception(e)
# create "fake" RuleResult
result = RuleResult("RulesetEngine", result=Result.failed,
reason=_("Rule aborted with error"),
further_analysis=False)
sample.add_rule_result(result)
logger.info("Rule '%s' processed for %s" % (rule_name, sample))
return result
|
