-
Notifications
You must be signed in to change notification settings - Fork 11
Filter Yara Scan
frikilax edited this page Oct 14, 2019
·
1 revision
This filter launches a yara scan of the data given, and returns either 0 or 100 if there is a match or no (additional information, such as rule name and associated tags, are written to logs if the next_filter is set to a log filter).
0x79617261
- libyara, 3.9.0 or above
Example of darwin configuration for this filter :
{
"yara_scan_1": {
"exec_path": "/path/to/darwin/build/darwin_scan_yara",
"config_file":"/path/to/filter.conf",
"output": "LOG",
"next_filter": "{your_log_filter_name}",
"nb_thread": 1,
"log_level": "WARNING",
"cache_size": 0
}
}- rule_file_list [string list] : list of fullpath to valid yara rule files to include in the yara compiler.
- fastmode [boolean] (optional) : tells yara lib whether to continue scanning for a rule if a match has been found, can speed up scanning but will not match rules with count conditions.
- timeout [positive integer] (optional) : sets a scanning timeout in seconds, 0 (zero) means no timeout (and potential seconds or tens of seconds of scanning for huge rulefiles).
Example :
{
"rule_file_list": ["/full/path/to/first/rule/file", "/gull/path/to/second/rule/file", ...],
"fastmode": true,
"timeout": 0
}The currently allowed format for data is in base64, the input should be valid in this regard or the filter will return a certitude of 101 to indicate an error.
["data_1",
"data_2",
"data_3",
"wrong_data"
...]
Here is an example of a body:
["ZGFyd2lu",
"SGVsbG8gdGhlcmUgbWlzdGVyICE=",
"VGhlc2UgYXJlbid0IHRoZSBkcm9pZHMgeW91J3JlIGxvb2tpbmcgZm9y",
"this is obviously not valid...",
...][certitude_1, certitude_2, certitude_3, 101, ...]