def testSetConfig(self): yara.set_config(max_strings_per_rule=1) self.assertSyntaxError([''' rule test { strings: $a = "1" $b = "2" condition: all of them } ''']) yara.set_config(max_strings_per_rule=10000)
def start(self): # Set configuration flags to 4 times the default yara.set_config(max_strings_per_rule=40000, stack_size=65536) try: # Load the rules self._load_rules() except Exception as e: raise Exception( f"Something went wrong while trying to load {self.name} rules: {str(e)}" ) self.log.info( f"{self.name} started with service version: {self.get_service_version()}" )
def __init__(self): self.last_commit = "" self.rules = {} self.all_rules = None config = CaseConfigParser() config.read('etc/config.ini') self.rulesDir = config['yara']['repo_directory'] # we keep track of when the rules change and (optionally) automatically re-load the rules self.tracked_files = {} # key = file_path, value = last modification time self.tracked_dirs = {} # key = dir_path, value = {} (key = file_path, value = last mtime) self.tracked_repos = {} # key = dir_path, value = current git commit # set max string limit yara.set_config(max_strings_per_rule=20000) self.UpdateRules()
def __init__(self): self.last_commit = "" self.rules = {} self.all_rules = None self.whitelist_rules = None # global variables baseDir = sys.path[0] configDir = os.path.join(baseDir, "config") self.indicatorsDir = os.path.join(baseDir, "indicators") self.whitelistsDir = os.path.join(baseDir, "whitelists") # load observable mappings temp1 = ConfigParser(allow_no_value=True) temp1.read(os.path.join(configDir, "observable_mappings.ini")) self.observable_mappings = temp1 # load indicator mappings temp2 = ConfigParser(allow_no_value=True) temp2.read(os.path.join(configDir, "indicator_mappings.ini")) self.indicator_mappings = temp2 # set max string limit yara.set_config(max_strings_per_rule=20000)
def main(): yara.set_config(stack_size=65536) yara.set_config(max_strings_per_rule=50000, stack_size=65536) yara.set_config(max_strings_per_rule=20000) yara.set_config(max_match_data=128) rules = yara.compile('yara.rules') kind = filetype.guess(sys.argv[1]) if kind is None: print('Cannot guess file type!') return print('File extension: %s' % kind.extension) print('File MIME type: %s' % kind.mime) print(f'{magic.coerce_filename(sys.argv[1])}') print(f'{magic.from_file(sys.argv[1], mime=True)}') matches = rules.match(sys.argv[1]) if len(matches): for match in matches: print(f'{sys.argv[1]}: match {match}')
- Добавить в file-output и table username (cwd, вроде) и cmdline найденого PID - Ограничить вывод Strings - мусор на экране ''' ### Закончить вышеописанное до рабочего билда v3 from queue import Queue import threading import yara from sys import argv from time import sleep # max pid (BSD) 99999, centos 32768, debian 65536 from pathlib import Path # todo: install psutil yara.set_config(max_strings_per_rule=20000, stack_size=32768) MALWARE_RULES = 'Rules/index.yar' lock = threading.Lock() #rules = yara.compile(filepath=MALWARE_RULES, includes=False) PIDsQueue = Queue() COUNTER = 0 THREADS = 6 class Scanner(threading.Thread): def mycallback(self, data): print('[+] Rule: {}, PID: {}, Strings: {}'.format( data.get('rule'), self._pid, data.get('strings'))) def __init__(self): threading.Thread.__init__(self)
#!/usr/bin/env python3 # vim: sw=4:ts=4:et:cc=120 import json import logging import os import os.path import re from subprocess import Popen, PIPE # requires python-yara version 3.8 import plyara import yara yara.set_config(max_strings_per_rule=30720) log = logging.getLogger('yara-scanner') def get_current_repo_commit(repo_dir): """Utility function to return the current commit hash for a given repo directory. Returns None on failure.""" p = Popen(['git', '-C', repo_dir, 'log', '-n', '1', '--format=oneline'], stdout=PIPE, stderr=PIPE, universal_newlines=True) commit, stderr = p.communicate() p.wait() if len(stderr.strip()) > 0: log.error("git reported an error: {0}".format(stderr.strip()))