new: status_in_report for blocklist module

pandora-analysis · Jun 14, 2024 · 64b2622 · 64b2622
1 parent 8e26d52
commit 64b2622
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 5 deletions.
diff --git a/pandora/workers/blocklists.py b/pandora/workers/blocklists.py
@@ -37,25 +37,25 @@ def analyse(self, task: Task, report: Report, manual_trigger: bool=False) -> Non
                 report.add_details('Info', f'The result for files with extension {ext} is overwritten by the admin. It generally means we cannot decide on the status of the file. Contact your admin for more details.')
 
             if ext in self.malicious_extensions:
-                report.status = Status.ALERT
+                report.status = 'malicious_extension'
                 report.add_details('Warning', f'The extension {ext} is considered as malicious by default.')
 
         if self.enable_mimetypes:
             if not task.file.mime_type:
-                report.status = Status.ALERT
+                report.status = 'no_mimetype'
                 report.add_details('Warning', 'Unable to find a mime type.')
             elif task.file.mime_type in self.malicious_mimetypes:
-                report.status = Status.ALERT
+                report.status = 'malicious_mimetype'
                 report.add_details('Warning', f'The mimetype {task.file.mime_type} is considered as malicious by default.')
             else:
                 guessed_type, encoding = mimetypes.guess_type(task.file.original_filename)
                 if not guessed_type:
-                    report.status = Status.ALERT
+                    report.status = 'cannot_guess_mimetype'
                     report.add_details('Warning', 'Unable to guess the mimetype based on the filename. This is a known technique used to bypass detection. If you are unsure what do to, talk to your administrator.')
                 else:
                     list_valid_mimetypes = [guessed_type]
                     if guessed_type in self.synonyms:
                         list_valid_mimetypes += self.synonyms[guessed_type]
                     if task.file.mime_type not in list_valid_mimetypes:
-                        report.status = Status.WARN
+                        report.status = 'missmatch_mimetype'
                         report.add_details('Warning', f'The mimetype guessed from the filename ({guessed_type}) differs from the one guessed by magic ({task.file.mime_type}). It is a known technique used to bypass detections.')
diff --git a/pandora/workers/blocklists.yml.sample b/pandora/workers/blocklists.yml.sample
@@ -28,3 +28,15 @@ settings:
   enable_mimetypes: false
   malicious_mimetypes:
     - application/octet-stream
+
+status_in_report:
+  # the extension is one of the malicious extensions listed above
+  malicious_extension: ALERT
+  # The mimetype is one of the malicious mimetypes listed above
+  malicious_mimetype: ALERT
+  # Unable to guess the mimetype of the file from the content (magic failed)
+  no_mimetype: ALERT
+  # Unable to guess the mimetype o the file from its extension
+  cannot_guess_mimetype: ALERT
+  # The mimetype of the file does not match its extension
+  missmatch_mimetype: WARN
diff --git a/pandora/workers/ole.yml.sample b/pandora/workers/ole.yml.sample
@@ -7,5 +7,7 @@ settings:
   timeout: 5m
 
 status_in_report:
+  # is the OLE analysed a package containing other files?
   ole_is_package: WARN
+  # Does the OLE contains other OLE?
   embedded_ole: WARN