Package modules :: Package signatures :: Module generic_metrics
[hide private]
[frames] | no frames]

Source Code for Module modules.signatures.generic_metrics

 1  # Copyright (C) 2010-2014 Cuckoo Foundation. 
 2  # This file is part of Cuckoo Sandbox - http://www.cuckoosandbox.org 
 3  # See the file 'docs/LICENSE' for copying permission. 
 4   
 5  from lib.cuckoo.common.abstracts import Signature 
 6   
7 -class SystemMetrics(Signature):
8 name = "generic_metrics" 9 description = "Uses GetSystemMetrics" 10 severity = 2 11 categories = ["generic"] 12 authors = ["Cuckoo Developers"] 13 minimum = "1.0" 14 15 # Evented signatures need to implement the "on_call" method 16 evented = True 17 18 # Evented signatures can specify filters that reduce the amount of 19 # API calls that are streamed in. One can filter Process name, API 20 # name/identifier and category. These should be sets for faster lookup. 21 filter_processnames = set() 22 filter_apinames = set(["GetSystemMetrics"]) 23 filter_categories = set() 24 25 # This is a signature template. It should be used as a skeleton for 26 # creating custom signatures, therefore is disabled by default. 27 # The on_call function is used in "evented" signatures. 28 # These use a more efficient way of processing logged API calls. 29 enabled = False 30
31 - def stop(self):
32 # In the stop method one can implement any cleanup code and 33 # decide one last time if this signature matches or not. 34 # Return True in case it matches. 35 return False
36 37 # This method will be called for every logged API call by the loop 38 # in the RunSignatures plugin. The return value determines the "state" 39 # of this signature. True means the signature matched and False means 40 # it can't match anymore. Both of which stop streaming in API calls. 41 # Returning None keeps the signature active and will continue.
42 - def on_call(self, call, process):
43 # This check would in reality not be needed as we already make use 44 # of filter_apinames above. 45 if call["api"] == "GetSystemMetrics": 46 # Signature matched, return True. 47 return True 48 49 # continue 50 return None
51