fix: fix cuckoo dns implem to align with yara

vthib · May 1, 2024 · 113085f · 113085f
1 parent 348898f
commit 113085f
Show file tree

Hide file tree

Showing 2 changed files with 39 additions and 11 deletions.
diff --git a/boreal/src/module/cuckoo.rs b/boreal/src/module/cuckoo.rs
@@ -227,7 +227,15 @@ fn search_dns(ctx: &mut EvalContext, args: Vec<Value>) -> Option<bool> {
     Some(
         values
             .iter()
-            .filter_map(|value| value.get(host_field_name))
+            .filter_map(|value| {
+                // For some reason, YARA parses the "ip" key even though it does not use it.
+                // This means it considers objects without this key as invalid and will not
+                // consider them.
+                // It's unclear if this is voluntary or not, but align with this behavior
+                // for now.
+                let _ip = value.get("ip")?;
+                value.get(host_field_name)
+            })
             .filter_map(|host| host.as_str())
             .any(|host| regex.is_match(host.as_bytes())),
     )

diff --git a/boreal/tests/it/cuckoo.rs b/boreal/tests/it/cuckoo.rs
@@ -604,8 +604,8 @@ fn test_network_dns_lookup() {
         Some(
             r#"{
             "network": { "domains": [
-                { "domain": "gheif" },
-                { "domain": "abcde" }
+                { "ip": "a", "domain": "gheif" },
+                { "ip": "a", "domain": "abcde" }
             ]}
         }"#,
         ),
@@ -615,8 +615,8 @@ fn test_network_dns_lookup() {
         Some(
             r#"{
             "network": { "dns": [
-                { "hostname": "gheif" },
-                { "hostname": "abcde" }
+                { "ip": "a", "hostname": "gheif" },
+                { "ip": "a", "hostname": "abcde" }
             ]}
         }"#,
         ),
@@ -627,8 +627,8 @@ fn test_network_dns_lookup() {
         Some(
             r#"{
             "network": { "domains": [
-                { "domain": "gheif" },
-                { "hostname": "abcde" }
+                { "ip": "a", "domain": "gheif" },
+                { "ip": "a", "hostname": "abcde" }
             ] }
         }"#,
         ),
@@ -638,8 +638,8 @@ fn test_network_dns_lookup() {
         Some(
             r#"{
             "network": { "dns": [
-                { "hostname": "gheif" },
-                { "domain": "abcde" }
+                { "ip": "a", "hostname": "gheif" },
+                { "ip": "a", "domain": "abcde" }
             ] }
         }"#,
         ),
@@ -649,12 +649,32 @@ fn test_network_dns_lookup() {
         Some(
             r#"{
             "network": { "dom": [
-                { "hostname": "abcde" },
+                { "ip": "a", "hostname": "abcde" },
+                { "ip": "a", "domain": "abcde" }
+            ] }
+        }"#,
+        ),
+    );
+    test(
+        "cuckoo.network.dns_lookup(/^a/) == 0",
+        Some(
+            r#"{
+            "network": { "domains": [
                 { "domain": "abcde" }
             ] }
         }"#,
         ),
     );
+    test(
+        "cuckoo.network.dns_lookup(/^a/) == 0",
+        Some(
+            r#"{
+            "network": { "dns": [
+                { "hostname": "abcde" }
+            ] }
+        }"#,
+        ),
+    );
     test(
         "cuckoo.network.dns_lookup(/^a/) == 0",
         Some(r#"{ "network": { "domains": [] } }"#),
@@ -675,7 +695,7 @@ fn test_network_dns_lookup() {
     );
     test(
         "cuckoo.network.dns_lookup(/^a/) == 0",
-        Some(r#"{ "network": true"#),
+        Some(r#"{ "network": true }"#),
     );
     test(
         "cuckoo.network.dns_lookup(/^a/) == 0",