groldo/yara_malpedia_test.py

## gistfile1.txt
rule DetectContactToSpecificIP {
    meta:
        description = "Detect files attempting to contact IP 134.23.9.7"
        author = "Your Name"
        date = "2024-02-01"
    strings:
        $ip_string = "134.23.9.7" ascii
    condition:
        $ip_string
}

## yara_malpedia_test.py
import requests
import sys
import yaml
from yaml.loader import SafeLoader

yara_rule_bytes = (
    b'rule DetectContactToSpecificIP {\n    meta:\n        description = "Detect files'
    b' attempting to contact IP 134.23.9.7"\n        author = "Your Name"\n        date'
    b' = "2024-02-01"\n    strings:\n        $ip_string = "134.23.9.7" ascii\n   '
    b" condition:\n        $ip_string\n}\n"
)

print(yara_rule_bytes.decode("utf-8"))

def loadYaml(infile):
    with open(infile) as f:
        config = yaml.load(f, Loader=SafeLoader)
        return config


config = loadYaml("malpedia.yaml")
api_key = config["api_token"]
base_url = f"https://malpedia.caad.fkie.fraunhofer.de/"
header = {"Authorization": "apitoken " + api_key}


def __make_api_call(path, method="GET", files=None, data=None, raw=False):
    apicall_path = "https://malpedia.caad.fkie.fraunhofer.de/api/" + path.lstrip("/")
    response = requests.request(
        method, apicall_path, headers=header, files=files, data=data
    )
    response.raise_for_status()
    return response


# test api key
try:
    r = __make_api_call("check/apikey")
except requests.exceptions.HTTPError as e:
    print(e)

print(r.status_code)

# test yara rule with malpedia
# test with byte sequence
api_endpoint = "scan/yara"

try:
    r = __make_api_call(api_endpoint, method="POST", data=yara_rule_bytes)
except requests.exceptions.HTTPError as e:
    print(e)

# test with file
with open("./utils/yara.rule", "rb") as infile:
    api_endpoint = "scan/yara"
    try:
        r = __make_api_call(api_endpoint, method="POST", data=infile.read())
    except requests.exceptions.HTTPError as e:
        print(e)
        print("exit")
        sys.exit(1)
    print(r.json())
	rule DetectContactToSpecificIP {
	meta:
	description = "Detect files attempting to contact IP 134.23.9.7"
	author = "Your Name"
	date = "2024-02-01"
	strings:
	$ip_string = "134.23.9.7" ascii
	condition:
	$ip_string
	}
	import requests
	import sys
	import yaml
	from yaml.loader import SafeLoader

	yara_rule_bytes = (
	b'rule DetectContactToSpecificIP {\n meta:\n description = "Detect files'
	b' attempting to contact IP 134.23.9.7"\n author = "Your Name"\n date'
	b' = "2024-02-01"\n strings:\n $ip_string = "134.23.9.7" ascii\n '
	b" condition:\n $ip_string\n}\n"
	)

	print(yara_rule_bytes.decode("utf-8"))

	def loadYaml(infile):
	with open(infile) as f:
	config = yaml.load(f, Loader=SafeLoader)
	return config


	config = loadYaml("malpedia.yaml")
	api_key = config["api_token"]
	base_url = f"https://malpedia.caad.fkie.fraunhofer.de/"
	header = {"Authorization": "apitoken " + api_key}


	def __make_api_call(path, method="GET", files=None, data=None, raw=False):
	apicall_path = "https://malpedia.caad.fkie.fraunhofer.de/api/" + path.lstrip("/")
	response = requests.request(
	method, apicall_path, headers=header, files=files, data=data
	)
	response.raise_for_status()
	return response


	# test api key
	try:
	r = __make_api_call("check/apikey")
	except requests.exceptions.HTTPError as e:
	print(e)

	print(r.status_code)

	# test yara rule with malpedia
	# test with byte sequence
	api_endpoint = "scan/yara"

	try:
	r = __make_api_call(api_endpoint, method="POST", data=yara_rule_bytes)
	except requests.exceptions.HTTPError as e:
	print(e)

	# test with file
	with open("./utils/yara.rule", "rb") as infile:
	api_endpoint = "scan/yara"
	try:
	r = __make_api_call(api_endpoint, method="POST", data=infile.read())
	except requests.exceptions.HTTPError as e:
	print(e)
	print("exit")
	sys.exit(1)
	print(r.json())