[pull] master from kevoreilly:master #415
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
* file details cache
Summary of Changes:
1. Modified `lib/cuckoo/common/objects.py`:
* Updated File.init_yara to calculate a SHA256 hash of all compiled YARA rule files.
* Stored this hash in File.yara_rules_hash.
2. Modified `modules/processing/CAPE.py`:
* In process_file, imported mongo_find_one from dev_utils.mongodb.
* Implemented logic to query the MongoDB files collection using the file's SHA256.
* Cache Hit: If the file is found and yara_hash matches, file_info is populated from the database, skipping expensive operations like f.get_all() (PE parsing, initial YARA scan) and static_file_info.
* Partial Cache Hit: If the file is found but yara_hash differs, the cached data is loaded, but YARA scans are re-run (f.get_yara()), and the yara_hash field is updated. static_file_info is still skipped to
avoid re-extracting/re-analyzing static properties.
* Cache Miss: If the file is not in the DB, standard processing proceeds, and yara_hash is added to file_info for future caching.
This solution optimizes processing time for previously analyzed files while ensuring YARA scan results remain up-to-date when rules change.
* more
* fix
* Update CAPE.py
* Update CAPE.py
* Update test_file_extra_info.py
* fixes
* Update objects.py
* make it on/off
Add additional static fields (yara, cape_yara, yara_hash, options_hash, clamav) to mongo normalization so they aren't stripped. In CAPE processing, ensure the internal pe object is populated (f.get_type(); pefile_object = f.pe) for full and partial hits, and fill missing options_hash and yara_hash for partial results. Also ensure file name and guest_paths are set when absent. These changes restore metadata removed by mongo_hooks and ensure pefile and hash fields are available for downstream results.
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot] (v2.0.0-alpha.4)
Can you help keep this open source service alive? 💖 Please sponsor : )