mquery icon indicating copy to clipboard operation
mquery copied to clipboard

Published 20 hours ago verified publisher icon CERT-Polska

Add the information about match context to the database

Open msm-cert opened this issue 1 year ago • 0 comments

To implement #38, we'll need to add the information about match context to the database. AFAIK it's not possible to get it directly from Yara-Python (but do check), so it must be worked around by using offset: https://github.com/VirusTotal/yara/issues/1335

This information should be stored for every string in every matched rule (there may be more than one rule). So maybe matches array should be changed to a dict. We can just store hexencoded context in the matches field then (as long as it's not too big).

for example if the rule is

rule test_romanum {
    strings:
        $a = "a"
        $b = "b"
    condition:
        all of them
}

rule test_romanum {
    strings:
        $c = "c"
        $d = "d"
    condition:
        all of them
}

There may be as much as 4 matches. If there are more than one match per string then only the first should be stored, and the rest ignored.

Finally, this information should be exposed via the API (included in the serialized object) like /api/job/{job_id}.

msm-cert avatar Sep 16 '24 15:09 msm-cert