search

ciscocsirt / malspider

Malspider is a web spidering framework that detects characteristics of web compromises.
BSD 3-Clause "New" or "Revised" License
420 stars 78 forks source link

Regex Raw field #3

Closed r3comp1le closed 8 years ago

r3comp1le commented 8 years ago

Is it possible to regex on the raw data? If so, whats the proper method?

clicky_regex = re.compile("clicky", re.IGNORECASE | re.MULTILINE)

clicky_elements = Element.objects.filter(Q(event_time__gte=search_start_time), Q(tag_name='script') | Q(tag_name='iframe'), Q(raw__regex=clicky_regex))

jasheppa5 commented 8 years ago

The syntax looks correct. You need to register your alert with the generate_alerts function. If your alert looks like this:

*def get_clicky_malware**(self,search_start_time):*
    clicky_regex = re.compile("clicky", re.IGNORECASE | re.MULTILINE)
    clicky_elements = Element.objects.filter(Q(event_time__gte=search_start_time),

Q(tag_name='script') | Q(tag_name='iframe'), Q(raw__regex=clicky_regex)) return click_elements

then go into the generate_alerts function and register with the alerts dictionary:

alerts["CLICKY MALWARE"] = self.get_clicky_malware(search_start_time)

If you don't want to a whitelist check to be performed on your results you can register the alert under the "alerts_nocheck" dictionary instead.

Let me know if this fixes your problem.

On Tue, Jun 14, 2016 at 9:43 AM, r3comp1le notifications@github.com wrote:

Is it possible to regex on the raw data? If so, whats the proper method?

clicky_regex = re.compile("clicky", re.IGNORECASE | re.MULTILINE)

clicky_elements = Element.objects.filter(Q(event_timegte=search_start_time), Q(tag_name='script') | Q(tag_name='iframe'), Q(rawregex=clicky_regex))

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/ciscocsirt/malspider/issues/3, or mute the thread https://github.com/notifications/unsubscribe/AR0QEMx9glAL0NUpx_iVimzi7yrbQBJMks5qLfkpgaJpZM4I03Ut .

r3comp1le commented 8 years ago

Yup, had it listed under nocheck section, but still not firing.

Database Views: http://i.imgur.com/Wazt95g.png http://i.imgur.com/xS0qft7.png

jasheppa5 commented 8 years ago

First, thank you for your persistence and patience. I spotted the problem:

raw__regex=clicky_regex

should be

raw__regex=clickyregex.pattern_

You need to pass the regex pattern string, not the regex object. I realize I have at least one sample classification that does the same thing so I'll fix that in a code update today or tomorrow.

I ran a simple test and it worked so hopefully this fixes your problem. Thanks again for your patience, and PLEASE add your final signature to github!!

-James

On Wednesday, June 15, 2016, r3comp1le notifications@github.com wrote:

Yup, had it listed under nocheck section, but still not firing.

Database Views: http://i.imgur.com/Wazt95g.png http://i.imgur.com/xS0qft7.png

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/ciscocsirt/malspider/issues/3#issuecomment-225987195, or mute the thread https://github.com/notifications/unsubscribe/AR0QEHFTM3K_i8pUq0I2oxfSLh5PppX2ks5qLv43gaJpZM4I03Ut .

r3comp1le commented 8 years ago

wow, I cant believe I didnt see that. Out of all the existing rules I cloned as an example, it was the one missing .pattern, (def get_cart_id_injections) lol.

Works perfect now.

jasheppa5 commented 8 years ago

Do you mind submitting a pull request so your clicky rule can be added to the master repo? I can also add you as a contributor if you like, and that will give you direct read/write access to the repo.

On Wed, Jun 15, 2016 at 9:49 PM, r3comp1le notifications@github.com wrote:

Closed #3 https://github.com/ciscocsirt/malspider/issues/3.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/ciscocsirt/malspider/issues/3#event-694062145, or mute the thread https://github.com/notifications/unsubscribe/AR0QEOrw04epsVO689Vubd_hDuU1GmKqks5qMKvBgaJpZM4I03Ut .