[Minor] Oletools: Sort cat table

diff --git a/lualib/lua_scanners/oletools.lua b/lualib/lua_scanners/oletools.lua
index 80576fa0bcf0251f3cdeba1e25f4bf1081655928..b221a020cb9a2c6e98cb725e8ce0ae074b497651 100644 (file)
--- a/lualib/lua_scanners/oletools.lua
+++ b/lualib/lua_scanners/oletools.lua
@@ -171,14 +171,15 @@ local function oletools_check(task, content, digest, rule)
 
           -- M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs,
           -- H=Hex strings, B=Base64 strings, D=Dridex strings, V=VBA strings
+          -- Keep sorted to avoid dragons
           local analysis_cat_table = {
-            macro_exist = '-',
             autoexec = '-',
-            suspicious = '-',
-            iocs = '-',
-            hex = '-',
             base64 = '-',
             dridex = '-',
+            hex = '-',
+            iocs = '-',
+            macro_exist = '-',
+            suspicious = '-',
             vba = '-'
           }
           local analysis_keyword_table = {}
@@ -300,8 +301,9 @@ local function oletools_check(task, content, digest, rule)
 
           elseif rule.extended == true and #analysis_keyword_table > 0 then
             -- report any flags (types) and any most keywords as individual virus name
-
-            table.insert(analysis_keyword_table, 1, table.concat(lua_util.values(analysis_cat_table)))
+            local analysis_cat_table_values = lua_util.values(analysis_cat_table)
+            table.sort(analysis_cat_table_values)
+            table.insert(analysis_keyword_table, 1, table.concat(analysis_cat_table_values))
 
             lua_util.debugm(rule.name, task, '%s: extended threat result: %s',
                 rule.log_prefix, table.concat(analysis_keyword_table, ','))