GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → Xumeiquer → yara-forensics

Xumeiquer / yara-forensics

Licence: GPL-3.0 license
Set of Yara rules for finding files using magics headers

Programming Languages

YARA
70 projects
shell
77523 projects

Labels

forensicsyarayara-rulesdump-filesmagic-headersyara-forensics

Projects that are alternatives of or similar to yara-forensics

Judge-Jury-and-Executable
A file system forensics analysis scanner and threat hunting tool. Scans file systems at the MFT and OS level and stores data in SQL, SQLite or CSV. Threats and data can be probed harnessing the power and syntax of SQL.
Stars: ✭ 66 (-42.61%)
Mutual labels:  forensics, yara, yara-rules
PhishingKit-Yara-Search
Yara scan Phishing Kit's Zip archive(s)
Stars: ✭ 24 (-79.13%)
Mutual labels:  yara, yara-rules
yara-validator
Validates yara rules and tries to repair the broken ones.
Stars: ✭ 37 (-67.83%)
Mutual labels:  yara, yara-rules
ThreatKB
Knowledge base workflow management for YARA rules and C2 artifacts (IP, DNS, SSL) (ALPHA STATE AT THE MOMENT)
Stars: ✭ 68 (-40.87%)
Mutual labels:  yara, yara-rules
YaraSharp
C# wrapper around the Yara pattern matching library
Stars: ✭ 29 (-74.78%)
Mutual labels:  yara, yara-forensics
Hyara
Yara rule making tool (IDA Pro & Binary Ninja & Cutter Plugin)
Stars: ✭ 142 (+23.48%)
Mutual labels:  yara, yara-rules
factual-rules-generator
Factual-rules-generator is an open source project which aims to generate YARA rules about installed software from a machine.
Stars: ✭ 62 (-46.09%)
Mutual labels:  yara, yara-rules
static file analysis
Analysis of file (doc, pdf, exe, ...) in deep (emmbedded file(s)) with clamscan and yara rules
Stars: ✭ 34 (-70.43%)
Mutual labels:  yara, yara-rules
yara-rules
Yara rules written by me, for free use.
Stars: ✭ 13 (-88.7%)
Mutual labels:  yara, yara-rules
yarasploit
YaraSploit is a collection of Yara rules generated from Metasploit framework shellcodes.
Stars: ✭ 31 (-73.04%)
Mutual labels:  yara, yara-rules
Loki
Loki - Simple IOC and Incident Response Scanner
Stars: ✭ 2,217 (+1827.83%)
Mutual labels:  yara, yara-rules
PEiD
Yet another implementation of PEiD with yara
Stars: ✭ 12 (-89.57%)
Mutual labels:  yara, yara-rules
threat-intel
Signatures and IoCs from public Volexity blog posts.
Stars: ✭ 130 (+13.04%)
Mutual labels:  yara, yara-rules
RemoteNET
Examine, create and interact with remote objects in other .NET processes.
Stars: ✭ 29 (-74.78%)
Mutual labels:  forensics
INDXRipper
Carve file metadata from NTFS index ($I30) attributes
Stars: ✭ 32 (-72.17%)
Mutual labels:  forensics
harvest
Tool to sort large collections of files according to common typologies
Stars: ✭ 32 (-72.17%)
Mutual labels:  forensics
vim-syntax-yara
A Vim syntax-highlighting file for YARA rules
Stars: ✭ 26 (-77.39%)
Mutual labels:  yara
binlex
A Binary Genetic Traits Lexer Framework
Stars: ✭ 303 (+163.48%)
Mutual labels:  yara
MantOS
LIFARS Networking Security GNU/Linux distro
Stars: ✭ 24 (-79.13%)
Mutual labels:  forensics
MEAT
This toolkit aims to help forensicators perform different kinds of acquisitions on iOS devices
Stars: ✭ 101 (-12.17%)
Mutual labels:  forensics
View All Similar Projects ➔

YARA-FORENSICS

License: GPL v3 DFIR: Yara rules Travis build

Yara is the pattern matching swiss knife for malware researchers (and everyone else). Basically Yara allow us to scan files based on textual or binary patterns, thus we can take advantage of Yara's potential and focus it in forensic investigations.

For now I have created a set of rules that search for magic headers on files and dump files like raw image of dd as well. So I invite anyone to add or improve rules regarding forensics stuff.

Content

The repository is splitted in two folders: file and raw. The rules in file folder are mainly to look for magic in standalone files, on the other hand, rules inside raw folder are mainly to look for magic in raw file or dump files. The main difference is the offset of the magic usually at 0x0 in files.

The avaliable files are listed in FILES.md.

Contribution

We have defined a short document describing how to contribute to Yara-Forensics, please before sharing your rules we encorage you to read the CONTRIBUTING.md file.

Yara installation

Installing Yara is quite easy: just follow the official documentation, after that, you can use the rules of this repository (and all Yara rules in general).

Examples

The basic use of Yara rules

This will tell whether the file Hard_Drive.jpg is an image.

$> yara file/images.yar test/Hard_Drive.jpg
jpg_magic_with_EXIF test/Hard_Drive.jpg

Or scanning images in dump files.

$> yara raw/images.yar ~/kvm/ISOs/debian-8.4.0-amd64-netinst.iso
contains_jpeg /home/xumeiquer/kvm/ISOs/debian-8.4.0-amd64-netinst.iso

Yara options

Yara offers a good set of options that can be useful, as example I will show two interesting options, but there are more.

For example:

Offest

$> yara -s file/images.yar test/Hard_Drive.jpg
jpg_magic_with_EXIF test/Hard_Drive.jpg
0x0:$a: FF D8 FF E1 4B EF 45 78 69 66 00

This is more useful when using the raw rules.

$> yara -s raw/images.yar ~/kvm/ISOs/debian-8.4.0-amd64-netinst.iso
contains_jpeg /home/xumeiquer/kvm/ISOs/debian-8.4.0-amd64-netinst.iso
0x5b73800:$a: FF D8 FF E0 00 10 4A 46 49 46 00
0x5b76000:$a: FF D8 FF E0 00 10 4A 46 49 46 00
0x5b76232:$a: FF D8 FF E0 00 10 4A 46 49 46 00

Tags

It is also possible to get he rule tags. This will be useful when executing a bunch of rule and then filter by some possible tag.

yara -g file/images.yar test/Hard_Drive.jpg
jpg_magic_with_EXIF [JPG] test/Hard_Drive.jpg

Benchmarks

Well, there are no actual benchmarks, but I would like to show how fast is Yara.

$> ls -lh ~/kvm/ISOs/debian-8.4.0-amd64-netinst.iso
-rw-r--r-- 1 libvirt-qemu libvirt-qemu 247M abr 22  2016 /home/xumeiquer/kvm/ISOs/debian-8.4.0-amd64-netinst.iso

$> time yara raw/images.yar ~/kvm/ISOs/debian-8.4.0-amd64-netinst.iso
contains_jpeg /home/xumeiquer/kvm/ISOs/debian-8.4.0-amd64-netinst.iso

0,72s user 0,00s system 44% cpu 0,732 total


$> ls -lh ~/kvm/ISOs/Windows\ 7\ 64Bits\ SP1.iso
-rw-r--r-- 1 libvirt-qemu libvirt-qemu 3,1G feb 17  2014 /home/xumeiquer/kvm/ISOs/Windows 7 64Bits SP1.iso

$> time yara raw/images.yar ~/kvm/ISOs/Windows\ 7\ 64Bits\ SP1.iso
contains_jpeg /home/xumeiquer/kvm/ISOs/Windows 7 64Bits SP1.iso

13,26s user 0,97s system 45% cpu 30,982 total

$> ls -lh mem.raw
-rwxr-xr-x  1 root  staff    18G 29 abr 00:18 mem.raw

$> time yara  raw/jpeg.yar mem.raw
contains_jpeg mem.raw
contains_jpg_with_EXIF mem.raw
contains_jpeg_2000 mem.raw

44,60s user 12,84s system 57% cpu 1:39,83 total

ko-fi

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].