diff --git a/intezer_static.py b/intezer_static.py index 56a0ab0..dbb021e 100644 --- a/intezer_static.py +++ b/intezer_static.py @@ -207,6 +207,9 @@ def download_file_by_sha256(self, sha256: str, dir_path: str) -> bool: return False else: raise + except FileExistsError: + # Duplicate file + pass class IntezerStatic(ServiceBase): @@ -273,8 +276,12 @@ def execute(self, request: ServiceRequest) -> None: ) main_kv_section.update_items(processed_main_api_result) if "family_name" in main_api_result: + # Tag both, ask forgiveness later main_kv_section.add_tag( - "attribution.family", main_api_result["family_name"] + "attribution.implant", main_api_result["family_name"] + ) + main_kv_section.add_tag( + "attribution.actor", main_api_result["family_name"] ) # This file-verdict map will be used later on to assign heuristics to sub-analyses @@ -612,8 +619,9 @@ def _process_families( ) family_section.add_row(TableRow(**processed_family)) family_type = family["family_type"] - if family_type not in FAMILIES_TO_NOT_TAG: - family_section.add_tag("attribution.family", family["family_name"]) + # TODO: Do not tag these sub families, for the time being at least + # if family_type not in FAMILIES_TO_NOT_TAG: + # family_section.add_tag("attribution.family", family["family_name"]) # Overwrite value if not malicious if family_type in MALICIOUS_FAMILY_TYPES and ( diff --git a/service_manifest.yml b/service_manifest.yml index ccdc55e..c65e1f8 100644 --- a/service_manifest.yml +++ b/service_manifest.yml @@ -22,7 +22,7 @@ timeout: 60 disable_cache: false enabled: false -is_external: true +is_external: false licence_count: 0 config: diff --git a/tests/test_intezer_static.py b/tests/test_intezer_static.py index 2565b8c..d546bc3 100755 --- a/tests/test_intezer_static.py +++ b/tests/test_intezer_static.py @@ -596,44 +596,35 @@ def test_handle_subanalyses(intezer_static_class_instance, dummy_request_class, assert dummy_request_class_instance.extracted[0]["name"] == "blah2.sample" @staticmethod - @pytest.mark.parametrize("families, file_verdict_map, correct_tags, correct_fvp", + @pytest.mark.parametrize("families, file_verdict_map, correct_fvp", [([], {}, - [], {}), ([{"blah": "blah", "family_type": "blah", "family_name": "blah"}], {}, - [("attribution.family", "blah")], {}), ([{"family_id": "blah", "family_type": "blah", "family_name": "blah"}], {}, - [("attribution.family", "blah")], {}), ([{"family_id": "blah", "family_type": "application", "family_name": "blah"}], {}, - [], {}), ([{"family_id": "blah", "family_type": "malware", "family_name": "blah"}], {}, - [("attribution.family", "blah")], {"blah": "malicious"}), ([{"family_id": "blah", "family_type": "malware", "family_name": "blah"}], {"blah": "blah"}, - [("attribution.family", "blah")], {"blah": "malicious"}), ([{"family_id": "blah", "family_type": "malware", "family_name": "blah"}], {"blah": "malicious"}, - [("attribution.family", "blah")], {"blah": "malicious"}), ([{"family_id": "blah", "family_type": "packer", "family_name": "blah"}], {}, - [("attribution.family", "blah")], {"blah": "suspicious"}), ([{"family_id": "blah", "family_type": "packer", "family_name": "blah"}], {"blah": "malicious"}, - [("attribution.family", "blah")], {"blah": "malicious"}), ]) - def test_process_families(families, file_verdict_map, correct_tags, correct_fvp, intezer_static_class_instance): + def test_process_families(families, file_verdict_map, correct_fvp, intezer_static_class_instance): from assemblyline_v4_service.common.result import ResultSection, ResultTableSection, TableRow parent_section = ResultSection("blah") @@ -647,8 +638,6 @@ def test_process_families(families, file_verdict_map, correct_tags, correct_fvp, if "family_id" in family: family.pop("family_id") correct_result_section.add_row(TableRow(**family)) - for tag in correct_tags: - correct_result_section.add_tag(tag[0], tag[1]) assert check_section_equality(parent_section.subsections[0], correct_result_section) assert file_verdict_map == correct_fvp