def testSetConfig(self):
yara.set_config(max_strings_per_rule=1)
self.assertSyntaxError(['''
rule test { strings: $a = "1" $b = "2" condition: all of them }
'''])
yara.set_config(max_strings_per_rule=10000)
def start(self):
# Set configuration flags to 4 times the default
yara.set_config(max_strings_per_rule=40000, stack_size=65536)
try:
# Load the rules
self._load_rules()
except Exception as e:
raise Exception(
f"Something went wrong while trying to load {self.name} rules: {str(e)}"
)
self.log.info(
f"{self.name} started with service version: {self.get_service_version()}"
)
def __init__(self):
self.last_commit = ""
self.rules = {}
self.all_rules = None
config = CaseConfigParser()
config.read('etc/config.ini')
self.rulesDir = config['yara']['repo_directory']
# we keep track of when the rules change and (optionally) automatically re-load the rules
self.tracked_files = {} # key = file_path, value = last modification time
self.tracked_dirs = {} # key = dir_path, value = {} (key = file_path, value = last mtime)
self.tracked_repos = {} # key = dir_path, value = current git commit
# set max string limit
yara.set_config(max_strings_per_rule=20000)
self.UpdateRules()
def __init__(self):
self.last_commit = ""
self.rules = {}
self.all_rules = None
self.whitelist_rules = None
# global variables
baseDir = sys.path[0]
configDir = os.path.join(baseDir, "config")
self.indicatorsDir = os.path.join(baseDir, "indicators")
self.whitelistsDir = os.path.join(baseDir, "whitelists")
# load observable mappings
temp1 = ConfigParser(allow_no_value=True)
temp1.read(os.path.join(configDir, "observable_mappings.ini"))
self.observable_mappings = temp1
# load indicator mappings
temp2 = ConfigParser(allow_no_value=True)
temp2.read(os.path.join(configDir, "indicator_mappings.ini"))
self.indicator_mappings = temp2
# set max string limit
yara.set_config(max_strings_per_rule=20000)
def main():
yara.set_config(stack_size=65536)
yara.set_config(max_strings_per_rule=50000, stack_size=65536)
yara.set_config(max_strings_per_rule=20000)
yara.set_config(max_match_data=128)
rules = yara.compile('yara.rules')
kind = filetype.guess(sys.argv[1])
if kind is None:
print('Cannot guess file type!')
return
print('File extension: %s' % kind.extension)
print('File MIME type: %s' % kind.mime)
print(f'{magic.coerce_filename(sys.argv[1])}')
print(f'{magic.from_file(sys.argv[1], mime=True)}')
matches = rules.match(sys.argv[1])
if len(matches):
for match in matches:
print(f'{sys.argv[1]}: match {match}')
- Добавить в file-output и table username (cwd, вроде) и cmdline найденого PID
- Ограничить вывод Strings - мусор на экране
'''
### Закончить вышеописанное до рабочего билда v3
from queue import Queue
import threading
import yara
from sys import argv
from time import sleep
# max pid (BSD) 99999, centos 32768, debian 65536
from pathlib import Path
# todo: install psutil
yara.set_config(max_strings_per_rule=20000, stack_size=32768)
MALWARE_RULES = 'Rules/index.yar'
lock = threading.Lock()
#rules = yara.compile(filepath=MALWARE_RULES, includes=False)
PIDsQueue = Queue()
COUNTER = 0
THREADS = 6
class Scanner(threading.Thread):
def mycallback(self, data):
print('[+] Rule: {}, PID: {}, Strings: {}'.format(
data.get('rule'), self._pid, data.get('strings')))
def __init__(self):
threading.Thread.__init__(self)
#!/usr/bin/env python3
# vim: sw=4:ts=4:et:cc=120
import json
import logging
import os
import os.path
import re
from subprocess import Popen, PIPE
# requires python-yara version 3.8
import plyara
import yara
yara.set_config(max_strings_per_rule=30720)
log = logging.getLogger('yara-scanner')
def get_current_repo_commit(repo_dir):
"""Utility function to return the current commit hash for a given repo directory. Returns None on failure."""
p = Popen(['git', '-C', repo_dir, 'log', '-n', '1', '--format=oneline'],
stdout=PIPE,
stderr=PIPE,
universal_newlines=True)
commit, stderr = p.communicate()
p.wait()
if len(stderr.strip()) > 0:
log.error("git reported an error: {0}".format(stderr.strip()))