From 6bd3e2b9f49d1de3ab882aeca9c30bc7d526ac9d Mon Sep 17 00:00:00 2001
From: Vsevolod Stakhov <vsevolod@highsecure.ru>
Date: Thu, 4 Jun 2020 16:44:18 +0100
Subject: [PATCH] [Minor] Oletools: Sort cat table

---
 lualib/lua_scanners/oletools.lua | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/lualib/lua_scanners/oletools.lua b/lualib/lua_scanners/oletools.lua
index 80576fa0bc..b221a020cb 100644
--- a/lualib/lua_scanners/oletools.lua
+++ b/lualib/lua_scanners/oletools.lua
@@ -171,14 +171,15 @@ local function oletools_check(task, content, digest, rule)
 
           -- M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs,
           -- H=Hex strings, B=Base64 strings, D=Dridex strings, V=VBA strings
+          -- Keep sorted to avoid dragons
           local analysis_cat_table = {
-            macro_exist = '-',
             autoexec = '-',
-            suspicious = '-',
-            iocs = '-',
-            hex = '-',
             base64 = '-',
             dridex = '-',
+            hex = '-',
+            iocs = '-',
+            macro_exist = '-',
+            suspicious = '-',
             vba = '-'
           }
           local analysis_keyword_table = {}
@@ -300,8 +301,9 @@ local function oletools_check(task, content, digest, rule)
 
           elseif rule.extended == true and #analysis_keyword_table > 0 then
             -- report any flags (types) and any most keywords as individual virus name
-
-            table.insert(analysis_keyword_table, 1, table.concat(lua_util.values(analysis_cat_table)))
+            local analysis_cat_table_values = lua_util.values(analysis_cat_table)
+            table.sort(analysis_cat_table_values)
+            table.insert(analysis_keyword_table, 1, table.concat(analysis_cat_table_values))
 
             lua_util.debugm(rule.name, task, '%s: extended threat result: %s',
                 rule.log_prefix, table.concat(analysis_keyword_table, ','))
-- 
2.47.3