GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → CIRCL → yara-validator

CIRCL / yara-validator

Licence: GPL-3.0 license
Validates yara rules and tries to repair the broken ones.

Programming Languages

python
139335 projects - #7 most used programming language

Labels

dfiryarayara-rules

Projects that are alternatives of or similar to yara-validator

yara-rules
Yara rules written by me, for free use.
Stars: ✭ 13 (-64.86%)
Mutual labels:  dfir, yara, yara-rules
Loki
Loki - Simple IOC and Incident Response Scanner
Stars: ✭ 2,217 (+5891.89%)
Mutual labels:  dfir, yara, yara-rules
factual-rules-generator
Factual-rules-generator is an open source project which aims to generate YARA rules about installed software from a machine.
Stars: ✭ 62 (+67.57%)
Mutual labels:  dfir, yara, yara-rules
yarasploit
YaraSploit is a collection of Yara rules generated from Metasploit framework shellcodes.
Stars: ✭ 31 (-16.22%)
Mutual labels:  yara, yara-rules
static file analysis
Analysis of file (doc, pdf, exe, ...) in deep (emmbedded file(s)) with clamscan and yara rules
Stars: ✭ 34 (-8.11%)
Mutual labels:  yara, yara-rules
PhishingKit-Yara-Search
Yara scan Phishing Kit's Zip archive(s)
Stars: ✭ 24 (-35.14%)
Mutual labels:  yara, yara-rules
Python Iocextract
Defanged Indicator of Compromise (IOC) Extractor.
Stars: ✭ 300 (+710.81%)
Mutual labels:  dfir, yara
yara-forensics
Set of Yara rules for finding files using magics headers
Stars: ✭ 115 (+210.81%)
Mutual labels:  yara, yara-rules
Yobi
Yara Based Detection Engine for web browsers
Stars: ✭ 39 (+5.41%)
Mutual labels:  dfir, yara
Threatingestor
Extract and aggregate threat intelligence.
Stars: ✭ 439 (+1086.49%)
Mutual labels:  dfir, yara
Signature Base
Signature base for my scanner tools
Stars: ✭ 1,212 (+3175.68%)
Mutual labels:  dfir, yara
pyarascanner
A simple many-rules to many-files YARA scanner for incident response or malware zoos.
Stars: ✭ 23 (-37.84%)
Mutual labels:  dfir, yara
ThreatKB
Knowledge base workflow management for YARA rules and C2 artifacts (IP, DNS, SSL) (ALPHA STATE AT THE MOMENT)
Stars: ✭ 68 (+83.78%)
Mutual labels:  yara, yara-rules
Hyara
Yara rule making tool (IDA Pro & Binary Ninja & Cutter Plugin)
Stars: ✭ 142 (+283.78%)
Mutual labels:  yara, yara-rules
Judge-Jury-and-Executable
A file system forensics analysis scanner and threat hunting tool. Scans file systems at the MFT and OS level and stores data in SQL, SQLite or CSV. Threats and data can be probed harnessing the power and syntax of SQL.
Stars: ✭ 66 (+78.38%)
Mutual labels:  yara, yara-rules
Lw Yara
Yara Ruleset for scanning Linux servers for shells, spamming, phishing and other webserver baddies
Stars: ✭ 78 (+110.81%)
Mutual labels:  dfir, yara
PEiD
Yet another implementation of PEiD with yara
Stars: ✭ 12 (-67.57%)
Mutual labels:  yara, yara-rules
threat-intel
Signatures and IoCs from public Volexity blog posts.
Stars: ✭ 130 (+251.35%)
Mutual labels:  yara, yara-rules
ad-privileged-audit
Provides various Windows Server Active Directory (AD) security-focused reports.
Stars: ✭ 42 (+13.51%)
Mutual labels:  dfir
EventTranscriptParser
Python based tool to extract forensic info from EventTranscript.db (Windows Diagnostic Data)
Stars: ✭ 22 (-40.54%)
Mutual labels:  dfir
View All Similar Projects ➔

yara-validator

Validates yara rules and tries to repair the broken ones.

Requirements

Installation

Python3

sudo python3 setup.py install

Python2

sudo python setup.py install

Usage

import yara_validator

validator = yara_validator.YaraValidator(auto_clear=False)
validator.add_rule_source(u'rule FirstRule{condition: true}', 'namespace_1','first.yara')
validator.add_rule_source(u'include "first.yara" rule SecondRule{condition: true}')
validator.add_rule_file('/path/to/third.yara','namespace_1')
valid, broken, repaired = validator.check_all()

print(===== VALID RULES =====)
for rule in valid:
    print(u'{}'.format(rule.source))
print(===== BROKEN RULES =====)
for rule in broken:
    print(u'{}'.format(rule.source))
print(===== REPAIRED RULES =====)
for rule in repaired:
    print(u'{}'.format(rule.source))
    
validator.clear_tmp()

Optional parameters for YaraValidator.__init__():

  • disk_buffering: if set to True, allows the tool to use a temporary directory to copy sources and files before validation (requires write access to that directory). If set to False, nothing will be written to disk (requires a yara version supporting include_callback). If not set, will default to False if your yara version supports it, True otherwise.
  • tmp_dir: if disk_buffering is activated, forces the location of the temporary directory. Defaults to OS's temp.
  • auto_clear: if disk_buffering is activated, deletes the temporary directory once the YaraValidator object is destroyed. Defaults to False. Manual deletion can be done with clear_tmp().

check_all() can take one optional boolean parameter. If set to True, the suggested repairs will be automatically accepted: the repaired sources will be used instead of the original ones if any other rules includes them. Setting this parameter to True may lead to rules not behaving as expected.. This function returns three lists: the valid rules, the broken rules and the repaired rules. Rules in the list are instances of YaraRule with the following properties:

  • source: source code
  • namespace: rules namespace
  • include_name: name usable in Yara include directives
  • status: YaraRule.STATUS_UNKNOWN, YaraRule.STATUS_VALID, YaraRule.STATUS_BROKEN or YaraRule.STATUS_REPAIRED
  • error_data: if STATUS_BROKEN or STATUS_REPAIRED, contains the error message
  • repaired_source: if STATUS_REPAIRED, contains a YaraRule with the repaired source and STATUS_VALID
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].