Improve parsing and other fixes

examples/livehunt_network_watch.py

@@ -26,6 +26,7 @@
 import argparse
 import asyncio
 import copy
+import json
 import os
 import re
 import vt
@@ -36,19 +37,12 @@
 RULESET_PREFIX = 'auto_network_watch_'
 TEMPLATE_DIR = os.path.join(os.path.dirname(__file__), 'netwatch_templates')
 RULESET_ENTITY = ('file', 'url', 'domain', 'ip_address')
+RULESET_LINK = 'https://www.virustotal.com/yara-editor/livehunt/'
 
 
 def extract_domains_from_rule(rules):
   """Extract the domain list from the comment of a yara rule."""
-  domain_list = []
-  for line in rules.split('*/')[0].split('---', 2)[1].splitlines():
-    if not line:
-      continue
-    domain = line.split('* ', 2)[1]
-    if domain:
-      domain_list.append(domain)
-  return domain_list
-
+  return json.loads(rules.split('*/')[0].split('---', 2)[1])
 
 async def get_rulesets():
   """Retrieve a rule from VT to get currently monitored properties."""
@@ -73,11 +67,11 @@ async def get_rulesets():
 
 
 def render_template(entity, domains):
-  domain_list = '\n  * '.join(domains)
+  domain_list = json.dumps(domains, indent=1)
   template = ''
   body_template = os.path.join(TEMPLATE_DIR, '_body.yara')
   with open(body_template, encoding='utf-8') as f:
-    template += f.read().replace('${domain_list}', domain_list)
+    template += f.read().replace('${domain_list_json}', domain_list)
     template += '\n'
 
   kind_template = os.path.join(TEMPLATE_DIR, entity + '.yara')
@@ -121,7 +115,7 @@ async def upload_rulesets(queue):
           await client.patch_async(
               path='/intelligence/hunting_rulesets/' + task.get('id'),
               json_data={'data': ruleset.to_dict()})
-          print(f'Ruleset {name} updated.')
+          print(f'Ruleset {name} [{RULESET_LINK}{task["id"]}] updated.')
         except vt.error.APIError as e:
           print(f'Error updating {name}: {e}')
 
@@ -135,9 +129,9 @@ async def upload_rulesets(queue):
                 'tags': ('autogenerated',),
                 'rules': task.get('rules')})
         try:
-          await client.post_object_async(
+          result = await client.post_object_async(
               path='/intelligence/hunting_rulesets', obj=ruleset)
-          print(f'Ruleset {name} created.')
+          print(f'Ruleset {name} [{RULESET_LINK}{result.id}] created.')
         except vt.error.APIError as e:
           print(f'Error saving {name}: {e}')
 
@@ -203,15 +197,13 @@ async def main():
       print(f'- {domain}')
 
     # Update the rulesets
-    loop = asyncio.get_event_loop()
     queue = asyncio.Queue()
 
-    loop.create_task(build_rulesets(queue, rulesets, new_domain_list))
+    await build_rulesets(queue, rulesets, new_domain_list)
 
     worker_tasks = []
     for _ in range(args.workers):
-      worker_tasks.append(loop.create_task(upload_rulesets(queue)))
-
+      worker_tasks.append(asyncio.create_task(upload_rulesets(queue)))
     await asyncio.gather(*worker_tasks)
 
   else:

examples/netwatch_templates/_body.yara

@@ -2,9 +2,9 @@
   DO NOT MODIFY, THIS RULE WAS AUTOMATICALLY GENERATED USING
   https://github.com/VirusTotal/vt-py/tree/master/examples/livehunt_network_watch.py
 
-  Monitored domains:
-  ---
-  * ${domain_list}
+Monitored domains:
+---
+${domain_list_json}
 
 */
 

examples/netwatch_templates/ip_address.yara

@@ -3,6 +3,6 @@ meta:
   description = "New IP addresses resolving domain ${domain} or its subdomains"
   target_entity = "ip_address"
 condition:
-  vt.net.ip.reverse_lookup == "${domain}"
+  vt.net.ip.reverse_lookup == "${domain}" or
   vt.net.ip.reverse_lookup endswith ".${domain}"
 }