[Forensics-changes] [yara] 17/192: Handle newer and older versions for Cuckoo report format

[Hilko Bengen]

This is an automated email from the git hooks/post-receive script.

bengen pushed a commit to annotated tag v3.6.0
in repository yara.

commit c6779bbbf6fcd163f6e34a60000193d40f88729c
Author: plusvic <plusvic at gmail.com>
Date:   Fri Sep 2 20:01:45 2016 +0200

    Handle newer and older versions for Cuckoo report format
---
 libyara/modules/cuckoo.c | 63 +++++++++++++++++++++++++++++++++++-------------
 1 file changed, 46 insertions(+), 17 deletions(-)

diff --git a/libyara/modules/cuckoo.c b/libyara/modules/cuckoo.c
index 2351889..f11fbb7 100644
--- a/libyara/modules/cuckoo.c
+++ b/libyara/modules/cuckoo.c
@@ -46,24 +46,54 @@ define_function(network_dns_lookup)
   YR_OBJECT* network_obj = parent();
 
   json_t* network_json = (json_t*) network_obj->data;
-  json_t* dns_json = json_object_get(network_json, "dns");
   json_t* value;
 
   uint64_t result = 0;
   size_t index;
 
-  char* ip;
+  // Recent versions of Cuckoo generate domain resolution information with
+  // this format:
+  //
+  //       "domains": [
+  //           {
+  //               "ip": "192.168.0.1",
+  //               "domain": "foo.bar.com"
+  //           }
+  //        ]
+  //
+  // But older versions with this other format:
+  //
+  //       "dns": [
+  //           {
+  //               "ip": "192.168.0.1",
+  //               "hostname": "foo.bar.com"
+  //           }
+  //        ]
+  //
+  // Additionally, the newer versions also have a "dns" field. So, let's try
+  // to locate the "domains" field first, if not found fall back to the older
+  // format.
+
+  char* field_name = "domain";
   char* hostname;
+  char* ip;
+
+  json_t* dns_info_json = json_object_get(network_json, "domains");
+
+  if (dns_info_json == NULL)
+  {
+    dns_info_json = json_object_get(network_json, "dns");
+    field_name = "hostname";
+  }
 
-  json_array_foreach(dns_json, index, value)
+  json_array_foreach(dns_info_json, index, value)
   {
-    if (json_unpack(value, "{s:s, s:s}", "ip", &ip, "hostname", &hostname) == 0)
+    json_unpack(value, "{s:s, s:s}", "ip", &ip, field_name, &hostname);
+
+    if (yr_re_match(regexp_argument(1), hostname) > 0)
     {
-      if (yr_re_match(regexp_argument(1), hostname) > 0)
-      {
-        result = 1;
-        break;
-      }
+      result = 1;
+      break;
     }
   }
 
@@ -92,15 +122,14 @@ uint64_t http_request(
 
   json_array_foreach(http_json, index, value)
   {
-    if (json_unpack(value, "{s:s, s:s}", "uri", &uri, "method", &method) == 0)
+    json_unpack(value, "{s:s, s:s}", "uri", &uri, "method", &method);
+
+    if (((methods & METHOD_GET && strcasecmp(method, "get") == 0) ||
+         (methods & METHOD_POST && strcasecmp(method, "post") == 0)) &&
+         yr_re_match(uri_regexp, uri) > 0)
     {
-      if (((methods & METHOD_GET && strcasecmp(method, "get") == 0) ||
-           (methods & METHOD_POST && strcasecmp(method, "post") == 0)) &&
-           yr_re_match(uri_regexp, uri) > 0)
-      {
-        result = 1;
-        break;
-      }
+      result = 1;
+      break;
     }
   }
 

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/forensics/yara.git