valitydev/osquery-1
14
0
Fork 0
mirror of https://github.com/valitydev/osquery-1.git synced 2024-11-07 01:55:20 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

powershell/config: Add checks for character_frequencies (#5945)

Browse Source 
Co-Authored-By: Stefano Bonicatti <smjert@gmail.com>
This commit is contained in:
Teddy Reed 2019-10-31 12:03:53 -04:00 committed by GitHub
parent 9a336877fd
commit b0bf653745
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 28 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
osquery/tables/events/windows/powershell_events.cpp
View File

@ -106,6 +106,22 @@ void PowershellEventSubscriber::addScriptResult(Row& results) {
return;
}
const auto& doc = parser->getData().doc();
if (!doc.IsObject() || !doc.HasMember("feature_vectors") ||
!doc["feature_vectors"].HasMember("character_frequencies") ||
!doc["feature_vectors"]["character_frequencies"].IsArray()) {
VLOG(1) << "No character frequency map found, skipping computation";
add(r);
return;
}
const auto& cf = doc["feature_vectors"]["character_frequencies"];
if (cf.Empty() || cf.Size() != kCharFreqVectorLen) {
VLOG(1) << "Invalid character frequency map found, skipping computation";
add(r);
return;
}
// Get the reassembled powershell scripts character frequency vector
std::vector<double> freqs(kCharFreqVectorLen, 0.0);
for (const auto chr : r["script_text"]) {
@ -114,17 +130,11 @@ void PowershellEventSubscriber::addScriptResult(Row& results) {
}
}
const auto& cf =
parser->getData().doc()["feature_vectors"]["character_frequencies"];
if (cf.Empty() || cf.Size() != kCharFreqVectorLen) {
VLOG(1) << "Invalid character frequency map found, skipping computation";
add(r);
return;
}
std::vector<double> cfg_freqs(kCharFreqVectorLen, 0.0);
for (unsigned int i = 0; i < cf.Size(); i++) {
cfg_freqs[i] = cf[i].GetDouble();
if (cf[i].IsDouble()) {
cfg_freqs[i] = cf[i].GetDouble();
}
}
r["cosine_similarity"] = DOUBLE(cosineSimilarity(freqs, cfg_freqs));
add(r);

12
plugins/config/parsers/feature_vectors.cpp
View File

@ -6,9 +6,9 @@
* the LICENSE file found in the root directory of this source tree.
*/
#include <plugins/config/parsers/feature_vectors.h>
#include <osquery/config/config.h>
#include <osquery/registry_factory.h>
#include <plugins/config/parsers/feature_vectors.h>
namespace osquery {
@ -22,13 +22,19 @@ Status FeatureVectorsConfigParserPlugin::update(const std::string& source,
const ParserConfig& config) {
auto fv = config.find(kFeatureVectorsRootKey);
if (fv == config.end()) {
return Status();
// No feature_vectors key.
return Status::success();
}
if (!fv->second.doc().IsObject()) {
// Expect feature_vectors to be an object.
return Status::success();
}
auto obj = data_.getObject();
data_.copyFrom(fv->second.doc(), obj);
data_.add(kFeatureVectorsRootKey, obj);
return Status();
return Status::success();
}
REGISTER_INTERNAL(FeatureVectorsConfigParserPlugin,