folder, ws, yara 4.3

LDO-CERT · Feb 9, 2024 · a4e94c5 · a4e94c5
1 parent f846cf4
commit a4e94c5
Show file tree

Hide file tree

Showing 13 changed files with 336 additions and 98 deletions.
diff --git a/compose/local/dask/Dockerfile b/compose/local/dask/Dockerfile
@@ -36,7 +36,7 @@ RUN ./bootstrap.sh \
   && make install \
   && echo "Install yara-python..."
 WORKDIR /tmp
-RUN git clone --branch v4.2.x --recursive https://github.com/VirusTotal/yara-python
+RUN git clone --branch v4.3.x --recursive https://github.com/VirusTotal/yara-python
 WORKDIR /tmp/yara-python
 RUN python setup.py build \
   && python setup.py install \

diff --git a/compose/local/django/Dockerfile b/compose/local/django/Dockerfile
@@ -48,7 +48,7 @@ RUN ./bootstrap.sh \
   && make install \
   && echo "Install yara-python..."
 WORKDIR /tmp
-RUN git clone --branch v4.2.x --recursive https://github.com/VirusTotal/yara-python
+RUN git clone --branch v4.3.x --recursive https://github.com/VirusTotal/yara-python
 WORKDIR /tmp/yara-python
 RUN python setup.py build
 

diff --git a/orochi/static/css/style.css b/orochi/static/css/style.css
@@ -184,6 +184,10 @@ main {
   border: 0px;
 }
 
+ul.nested-list li.list-group-item {
+  padding: 6px 1px 1px 5px;
+}
+
 /********************************************************
   OROCHI LOGO
 ********************************************************/

diff --git a/orochi/templates/website/index.html b/orochi/templates/website/index.html
@@ -12,7 +12,14 @@
 
 {% block sidebar %}
 <h6 class="sidebar-heading d-flex justify-content-between align-items-center px-3 mt-4 mb-1 text-muted">
-    <span>dumps <button id="new_index" type="button" class="btn btn-outline-success btn-sm">+</button></span>
+    <span>dumps
+        <button id="new-index" type="button" class="btn btn-outline-success btn-sm">
+            <i class="fa-solid fa-plus"></i>
+        </button>
+        <button id="new-folder" type="button" class="btn btn-outline-warning btn-sm">
+            <i class="fa-solid fa-folder-plus"></i>
+        </button>
+    </span>
     <input type="text" id="filter_dump" name="filter_dump" style="width: 60%;" class="form-control form-control-sm" placeholder="Filter">
 </h6>
 {% include "website/partial_indices.html" %}
@@ -156,15 +163,15 @@ <h5 class="offcanvas-title" id="leftNoteLabel">History Log</h5>
         };
 
         // FILTER DUMP LIST
-        $("#filter_dump").on("keyup", function () {
+        $(document).on("keyup", "#filter_dump", function () {
             var value = $(this).val().toLowerCase();
-            $("#index-list li").filter(function () {
+            $(".nested-list li").filter(function () {
                 $(this).toggle($(this).text().toLowerCase().indexOf(value) > -1)
             });
         });
 
         // FILTER PLUGIN LIST
-        $("#filter_plugin").on("keyup", function () {
+        $(document).on("keyup", "#filter_plugin", function () {
             var value = $(this).val().toLowerCase();
             $("#list_plugin li").filter(function () {
                 $(this).toggle($(this).text().toLowerCase().indexOf(value) > -1)
@@ -334,7 +341,6 @@ <h5 class="offcanvas-title" id="leftNoteLabel">History Log</h5>
             }
         });
 
-
         // RERUN PLUGIN FORM
         var res_call = null;
         $(document).on('click', '#btn-resubmit', function () {
@@ -397,7 +403,7 @@ <h5 class="offcanvas-title" id="leftNoteLabel">History Log</h5>
         });
 
         // ADD INDEX FORM
-        $(document).on("click", "#new_index", function () {
+        $(document).on("click", "#new-index", function () {
             $.ajax({
                 url: "{% url 'website:index_create'%}",
                 type: 'get',
@@ -443,6 +449,52 @@ <h5 class="offcanvas-title" id="leftNoteLabel">History Log</h5>
             });
         });
 
+        // ADD FOLDER FORM
+        $(document).on("click", "#new-folder", function () {
+            $.ajax({
+                url: "{% url 'website:folder_create'%}",
+                type: 'get',
+                dataType: 'json',
+                beforeSend: function () {
+                    $("#modal-update").modal("show");
+                },
+                success: function (data) {
+                    $("#modal-update .modal-content").html(data.html_form);
+                }
+            });
+        });
+
+        // ADD FOLDER FORM SUBMIT
+        $(document).on("submit", "#create-folder", function (e) {
+            e.preventDefault();
+            var form = $(this);
+            $.ajax({
+                url: form.attr("action"),
+                data: form.serialize(),
+                type: form.attr("method"),
+                dataType: 'json',
+                success: function (data) {
+                    $.toast({
+                        title: 'Operation successful!',
+                        content: 'Folder has been created',
+                        type: 'success',
+                        delay: 5000
+                    });
+                    $("#modal-update").modal('hide');
+                },
+                error: function () {
+                    $.toast({
+                        title: 'Operation error!',
+                        content: 'Error during folder creation.',
+                        type: 'error',
+                        delay: 5000
+                    });
+                    $("#modal-update").modal('hide');
+                }
+            });
+        });
+
+
         // RESTART INDEX FORM SUBMIT
         $(document).on("click", ".restart-index", function (e) {
             var btn = $(this);
@@ -489,7 +541,6 @@ <h5 class="offcanvas-title" id="leftNoteLabel">History Log</h5>
             });
         });
 
-
         // DOWNLOAD SYMBOLS FROM BANNER FORM
         $(document).on("click", ".symbols-download", function () {
             var btn = $(this);

diff --git a/orochi/templates/website/partial_folder.html b/orochi/templates/website/partial_folder.html
@@ -0,0 +1,28 @@
+{% load widget_tweaks %}
+
+<form method="post" action="{% url 'website:folder_create' %}" id="create-folder">
+    {{ form.media }}
+    {% csrf_token %}
+    <div class="modal-header">
+        <h5 class="modal-title">Create a new foledr</h5>
+        <button type="button" class="btn-close" data-bs-dismiss="modal" aria-label="Close"></button>
+    </div>
+    <div class="modal-body">
+        {% for field in form.visible_fields %}
+        <div class="form-group{% if field.errors %} has-error{% endif %}">
+            <label for="{{ field.id_for_label }}">{{ field.label }}</label>
+            {% render_field field class="form-control" %}
+            {% for error in field.errors %}
+            <p class="help-block">{{ error }}</p>
+            {% endfor %}
+        </div>
+        {% endfor %}
+        {% for hidden in form.hidden_fields %}
+        {{ hidden }}
+        {% endfor %}
+    </div>
+    <div class="modal-footer">
+        <button type="button" class="btn btn-secondary" data-bs-dismiss="modal">Close</button>
+        <button type="submit" class="btn btn-primary">Create Folder</button>
+    </div>
+</form>
diff --git a/orochi/templates/website/partial_indices.html b/orochi/templates/website/partial_indices.html
@@ -1,7 +1,14 @@
 {% if dumps %}
 <ul class="nav flex-column" id="index-list">
-    {% for index, name, color, os, author, missing_symbols, status, description in dumps %}
-    <li class="nav-item">
+    {% for folder, index, name, color, os, author, missing_symbols, status, description in dumps %}
+    {% ifchanged folder %}
+    {% if not forloop.first %}
+</ul>
+{% endif %}
+<li class="nav-item ms-2"><i class="fa-regular fa-folder"></i> {{folder|default:" - "}}</li>
+<ul class="list-group list-group-flush nested-list" id="folder_{{folder}}">
+    {% endifchanged %}
+    <li class="list-group-item">
         <label class="check_container" data-index="{{index}}" data-color="{{color}}">
             {% if os == 'Linux' %}
             <i class="fab fa-linux me-1"></i>
@@ -83,7 +90,10 @@
             {% endif %}
         </label>
     </li>
-    {% endfor %}
+    {% if forloop.last %}
+</ul>
+{% endif %}
+{% endfor %}
 </ul>
 {% else %}
 <ul class="nav flex-column" id="index-list">

diff --git a/orochi/utils/volatility_dask_elk.py b/orochi/utils/volatility_dask_elk.py
@@ -16,6 +16,7 @@
 from urllib.request import pathname2url
 
 import attr
+import elasticsearch
 import magic
 import requests
 import volatility3.plugins
@@ -80,7 +81,15 @@
     "Changed Date": "#FFFF00",
 }
 
-TOAST_COLORS = {1: "green", 2: "green", 3: "orange", 4: "red"}
+TOAST_COLORS = {
+    0: "blue",
+    1: "yellow",
+    2: "green",
+    3: "green",
+    4: "orange",
+    5: "red",
+    6: "black",
+}
 
 
 class MuteProgress(object):
@@ -348,7 +357,10 @@ def send_to_ws(dump, result=None, plugin_name=None, message=None, color=None):
                     f"""Message on dump <b>{dump.name}</b><br><b style='color:{TOAST_COLORS[color]}'>{message}</b>""",
                 },
             )
-    channel_layer.close()
+    try:
+        channel_layer.close()
+    except RuntimeError as excp:
+        logging.error(str(excp))
 
 
 def run_plugin(dump_obj, plugin_obj, params=None, user_pk=None):
@@ -514,7 +526,7 @@ def run_plugin(dump_obj, plugin_obj, params=None, user_pk=None):
                 else:
                     match = []
 
-                # CALCOLATE HASH AND CHECK FOR CLAMAC SIGNATURE
+                # CALCOLATE HASH AND CHECK FOR CLAMAV SIGNATURE
                 for x in json_data:
                     filename = x["File output"].replace('"', "")
                     down_path = f"{local_path}/{filename}"
@@ -588,7 +600,7 @@ def run_plugin(dump_obj, plugin_obj, params=None, user_pk=None):
             result.save()
 
             logging.debug(f"[dump {dump_obj.pk} - plugin {plugin_obj.pk}] empty")
-        # send_to_ws(dump_obj, result, plugin_obj.name)
+        send_to_ws(dump_obj, result, plugin_obj.name)
         return 0
 
     except Exception as excp:
@@ -598,7 +610,7 @@ def run_plugin(dump_obj, plugin_obj, params=None, user_pk=None):
         result.result = RESULT_STATUS_ERROR
         result.description = "\n".join(fulltrace)
         result.save()
-        # send_to_ws(dump_obj, result, plugin_obj.name)
+        send_to_ws(dump_obj, result, plugin_obj.name)
         logging.error(f"[dump {dump_obj.pk} - plugin {plugin_obj.pk}] generic error")
         return 0
 
@@ -687,12 +699,17 @@ def get_banner(result):
     """
     Get banner from elastic for a specific dump. If multiple gets first
     """
-    es_client = Elasticsearch([settings.ELASTICSEARCH_URL])
-    s = Search(
-        using=es_client,
-        index=f"{result.dump.index}_{result.plugin.name.lower()}",
-    )
-    banners = [hit.to_dict().get("Banner", None) for hit in s.execute()]
+    try:
+        es_client = Elasticsearch([settings.ELASTICSEARCH_URL])
+        s = Search(
+            using=es_client,
+            index=f"{result.dump.index}_{result.plugin.name.lower()}",
+        )
+        banners = [hit.to_dict().get("Banner", None) for hit in s.execute()]
+    except elasticsearch.NotFoundError:
+        logging.error(f"[dump {result.dump.pk}] no index found")
+        return None
+
     logging.error(f"banners: {banners}")
     if len(banners) > 0:
         for hit in banners:
@@ -723,7 +740,8 @@ def check_runnable(dump_pk, operating_system, banner):
             m.groupdict()
             dump_kernel = m["kernel"]
         else:
-            logging.error("Error extracting kernel info from dump")
+            logging.error("[dump {dump_pk}] Error extracting kernel info from dump")
+            return False
 
         ctx = contexts.Context()
         automagics = automagic.available(ctx)
@@ -739,7 +757,9 @@ def check_runnable(dump_pk, operating_system, banner):
                     if m["kernel"] == dump_kernel:
                         return True
                 else:
-                    logging.error("Error extracting kernel info from dump")
+                    logging.error(
+                        "[dump {dump_pk}] Error extracting kernel info from dump"
+                    )
             logging.error(f"[dump {dump_pk}] Banner not found")
             logging.error(
                 "Available banners: {}".format(
@@ -808,7 +828,7 @@ def unzip_then_run(dump_pk, user_pk, password, restart):
                 elif len(extracted_files) > 1:
                     for x in extracted_files:
                         if x.lower().endswith(".vmem"):
-                            newpath = Path(extract_path, x)
+                            newpath = x
                 if not newpath:
                     # archive is unvalid
                     logging.error(f"[dump {dump_pk}] Invalid archive dump data")
@@ -885,9 +905,22 @@ def unzip_then_run(dump_pk, user_pk, password, restart):
             for result in tasks_list:
                 result.result = RESULT_STATUS_DISABLED
                 result.save()
-            send_to_ws(dump, message="Missing symbols all plugin are disabled", color=4)
+            send_to_ws(
+                dump, message="Missing symbols! All plugin are disabled", color=4
+            )
     except Exception as excp:
         logging.error(f"[dump {dump_pk}] - {excp}")
         dump.description = excp
         dump.status = DUMP_STATUS_ERROR
         dump.save()
+        tasks_list = (
+            dump.result_set.all()
+            if dump.operating_system != "Linux"
+            else dump.result_set.exclude(plugin__name="banners.Banners")
+        )
+        for result in tasks_list:
+            result.result = RESULT_STATUS_DISABLED
+            result.save()
+        send_to_ws(
+            dump, message="Error in file creation! All plugin are disabled", color=4
+        )