-
Notifications
You must be signed in to change notification settings - Fork 11
Filter Yara
runs a yara scan on provided data (only in-memory scanning).
This filter allows to scan data provided as input with yara, it is fully compliant with yara rules (even if some parameters are incompatible, such as file-related keywords).
It can scan data passed as-is, or decode hex- or base64-encoded chunks to perform scan.
0x79617261
- yara developpement package >= 3.11.0
- openssl/libssl developpment files >= 1.1
- yara library >= 3.11.0 (if filter was linked dynamically)
- openssl/libssl >= 1.1
Example of darwin configuration for this filter :
{
"yara_1": {
"exec_path": "/path/to/darwin/filters/darwin_yara",
"config_file":"/path/to/fyara.conf",
"output": "NONE",
"next_filter": "",
"nb_thread": 1,
"log_level": "WARNING",
"cache_size": 0
}
}- fastmode (optional) [bool] : search only the first occurence of a pattern
- timeout (optional) [int, default 0] : return from scan if not finished avec x seconds (0 means no timeout)
- rule_file_list [string list] : a list of fullpaths to the yara rulefile(s) to use during rules compilation
- redis_socket_path (optional) : the redis in which the filter will stock the data
- alert_redis_list_name (optional) : the key under which the filter will stock the raised alerts in the redis
- alert_redis_channel_name (optional) : the redis channel in which the raised alerts will be publish
- log_file_path (optional) : the path in which the filter will write raised alerts
Example:
{
"fastmode": true,
"timeout": 3,
"rule_file_list": [
"/path/to/rule/file/1.yar",
"/path/to/different/rule/file/2.yara"
],
"redis_socket_path": "/var/sockets/redis/redis.sock",
"alert_redis_list_name": "darwin_alerts",
"alert_redis_channel_name": "darwin.alerts",
"log_file_path": "/var/log/darwin/alerts.log"
}Refer to the yara documentation for writing yara rules.
There are 2 possibilities when sending data to the fyara filter:
sending a raw string
[
[<entry>], [..]
]
Where <entry> is the string to scan.
sending an encoded string
[
[<entry>, <encoding>], [..]
]
Where <entry> is the string to scan and <encoding> either hex or base64 (case-insensitive).
Here is an example of a raw body:
[
["this is a string with \"quotes\" to match"], ["X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*"]
]And here is an example of an encoded body:
[
["48656c6c6f205468657265", "hex"], ["R2VuZXJhbCBLZW5vYmkh", "BASE64]
]Sends back either 0 or 100 as certitude, if the entry matched a rule or not. A score equal to 0 should mean the entry sent did not match any rule. A value of 101 means something went wrong during parsing or scanning, please check darwin.log to get more information.
The raised alert will be in the following JSON format:
{
"evt_id": "<uuid>",
"time": "<ISO8601>",
"filter": "yara",
"entry": "<entry>",
"certitude": <certitude>,
"yara": [{
"rule": "<rule name>",
"tags": ["<tag1>", "<tag2>",...]
},
{...}]
}
WARNING due to current caching limitations, the yara object in raised alert won't be present in alert if cache is activated and entry was already scanned (cache hit)!
"details": {
"rules": ["<yara_rule>", "<yara_rule>", ...]
}