IntelOwl
IntelOwl copied to clipboard
intelowlproject
Fixes Blint#2232
closes #2232
Description
Please include a summary of the change and link to the related issue.
Type of change
Please delete options that are not relevant.
- [ ] Bug fix (non-breaking change which fixes an issue).
- [x] New feature (non-breaking change which adds functionality).
- [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected).
Checklist
- [x] I have read and understood the rules about how to Contribute to this project
- [x] The pull request is for the branch
develop - [x] A new plugin (analyzer, connector, visualizer, playbook, pivot or ingestor) was added or changed, in which case:
- [x] I strictly followed the documentation "How to create a Plugin"
- [x] Usage file was updated.
- [ ] Advanced-Usage was updated (in case the plugin provides additional optional configuration).
- [ ] If the plugin requires mocked testing,
_monkeypatch()was used in its class to apply the necessary decorators. - [x] I have dumped the configuration from Django Admin using the
dumpplugincommand and added it in the project as a data migration. ("How to share a plugin with the community") - [ ] If a File analyzer was added and it supports a mimetype which is not already supported, you added a sample of that type inside the archive
test_files.zipand you added the default tests for that mimetype in test_classes.py. - [x] If you created a new analyzer and it is free (does not require API keys), please add it in the
FREE_TO_USE_ANALYZERSplaybook by following this guide. - [x] Check if it could make sense to add that analyzer/connector to other freely available playbooks.
- [x] I have provided the resulting raw JSON of a finished analysis and a screenshot of the results.
- [ ] I have added that raw JSON sample to the
MockUpResponseof the_monkeypatch()method. This serves us to provide a valid sample for testing.
- [ ] If external libraries/packages with restrictive licenses were used, they were added in the Legal Notice section.
- [x] Linters (
Black,Flake,Isort) gave 0 errors. If you have correctly installed pre-commit, it does these checks and adjustments on your behalf. - [x] I have added tests for the feature/bug I solved (see
testsfolder). All the tests (new and old ones) gave 0 errors. - [x] If changes were made to an existing model/serializer/view, the docs were updated and regenerated (check CONTRIBUTE.md).
- [ ] If the GUI has been modified:
- [ ] I have a provided a screenshot of the result in the PR.
- [ ] I have created new frontend tests for the new component or updated existing ones.
- [ ] After you had submitted the PR, if
DeepSource,Django Doctorsor other third-party linters have triggered any alerts during the CI checks, I have solved those alerts.
Important Rules
- If you miss to compile the Checklist properly, your PR won't be reviewed by the maintainers.
- Everytime you make changes to the PR and you think the work is done, you should explicitly ask for a review. After being reviewed and received a "change request", you should explicitly ask for a review again once you have made the requested changes.
([
{
'id': 'CHECK_AUTHENTICODE',
'title': 'Missing Authenticode',
'description': 'Authenticode is a digital signature format that is used to determine the origin and integrity of software binaries. Authenticode is based on Public-Key Cryptography Standards (PKCS) #7 signed data and X.509 certificates to bind an Authenticode-signed binary to the identity of a software publisher.\nAt its core, Authenticode supplies (or can supply, as optional features) a number of properties for signed programs:\n* Authenticity\n* Integrity\n* Timeliness\n',
'severity': 'high',
'exe_types': ['PE32', 'PE64', 'gobinary', 'dotnetbinary', 'x86_64-executable'],
'filename': '/opt/deploy/files_required/job_2024_04_11_15_09_59_file.exe',
'exe_name': '/opt/deploy/files_required/job_2024_04_11_15_09_59_file.exe',
'exe_type': 'PE64'
},
{
'id': 'CHECK_DLL_CHARACTERISTICS',
'title': 'Missing dll Security Characteristics (HIGH_ENTROPY_VA, GUARD_CF, FORCE_INTEGRITY)',
'description': 'NX_COMPAT: Image is NX compatible.\nFORCE_INTEGRITY: Code Integrity checks are enforced.\nHIGH_ENTROPY_VA: Image can handle a high entropy 64-bit virtual address space.\nGUARD_CF: Image supports Control Flow Guard.\nDYNAMIC_BASE: DLL can be relocated at load time.\n\nControl Flow Guard (CFG) is a highly-optimized platform security feature that was created to combat memory corruption vulnerabilities. By placing tight restrictions on where an application can execute code from, it makes it much harder for exploits to execute arbitrary code through vulnerabilities such as buffer overflows.\n\n- [PE format](https://docs.microsoft.com/en-us/windows/win32/debug/pe-format#dll-characteristics)\n- [Control Flow Guard](https://docs.microsoft.com/en-gb/windows/win32/secbp/control-flow-guard)\n',
'severity': 'high',
'mandatory_values': ['HIGH_ENTROPY_VA', 'NX_COMPAT', 'GUARD_CF', 'FORCE_INTEGRITY', 'DYNAMIC_BASE'],
'exe_types': ['PE32', 'PE64', 'dotnetbinary'],
'filename': '/opt/deploy/files_required/job_2024_04_11_15_09_59_file.exe',
'exe_name': '/opt/deploy/files_required/job_2024_04_11_15_09_59_file.exe',
'exe_type': 'PE64'
}], [], [])
Hi there @mlodic !
Facing a permission error while trying to make directory here. This didnt heppen previously for making update databases of analyzers.
Could you please go through this?
if you leverage a new folder for this analyzer like Yara did, you should follow the same pattern and create that directory in the dockerfile
For the ci check failing, it says that 2.1.1 isint available even tho it builds correctly on my local. Is there somehing I'm overlooking here :crying_cat_face:
hey @mlodic ! I see that you have have incorporated some more changes to the code. Is there anything left to be changed or worked upon here (for me)?