diff --git a/README.md b/README.md index 96a8f75..1e8214a 100644 --- a/README.md +++ b/README.md @@ -143,6 +143,10 @@ Note that for a reasonable sysdiagnose log output, we recommend the following ba - Minimum 64 GB of HDD space just for timesketch data (add some more GBs for the OS and OS upgrades, etc.) - SSDs (NVMEs) for the data. +## Yarascan + +Using YARA rules are an easy and flexible way of spotting 'evil', the Yarascan analyser will help you out with that. It looks for YARA rules within __.yar__ files saved in the `./yara` folder or in the one designated by the environment varirable `SYSDIAGNOSE_YARA_RULES_PATH`. + # UnifiedLogs This unifiedlogs parser tool is natively provided on a MacOS system. Fortunately some entities developed a linux compatible parser. diff --git a/src/sysdiagnose/analysers/yarascan.py b/src/sysdiagnose/analysers/yarascan.py index cdea075..e2a8b13 100644 --- a/src/sysdiagnose/analysers/yarascan.py +++ b/src/sysdiagnose/analysers/yarascan.py @@ -36,34 +36,38 @@ def execute(self): results = {'errors': [], 'matches': []} if not os.path.isdir(self.yara_rules_path): - raise FileNotFoundError(f"Could not find the YARA rules folder: {self.yara_rules_path}") + raise FileNotFoundError(f"Could not find the YARA rules (.yar) folder: {self.yara_rules_path}") rule_files, errors = self.get_valid_yara_rule_files() if errors: results['errors'] = errors if len(rule_files) == 0: - results['errors'].append(f"No valid YARA rules were present in the YARA rules folder: {self.yara_rules_path}") + results['errors'].append(f"No valid YARA rules (.yar) were present in the YARA rules folder: {self.yara_rules_path}") rule_filepaths = {} # we need to convert the list of rule files to a dictionary for yara.compile for rule_file in rule_files: namespace = rule_file[len(self.yara_rules_path):].strip(os.path.sep) rule_filepaths[namespace] = rule_file - matches, errors = YaraAnalyser.scan_directory( - [ - self.case_parsed_data_folder, - self.case_data_folder - ], - rule_filepaths, - ignore_files=[ - self.output_file, # don't match on ourselves - ], - ignore_folders=[ - glob.glob(os.path.join(self.case_data_subfolder, 'system_logs.logarchive')).pop(), # irrelevant for YARA rules - ] - ) - if errors: - results['errors'].extend(errors) - results['matches'] = matches + if len(rule_files) > 0: + matches, errors = YaraAnalyser.scan_directory( + [ + self.case_parsed_data_folder, + self.case_data_folder + ], + rule_filepaths, + ignore_files=[ + self.output_file, # don't match on ourselves + ], + ignore_folders=[ + glob.glob(os.path.join(self.case_data_subfolder, 'system_logs.logarchive')).pop(), # irrelevant for YARA rules + ] + ) + if errors: + results['errors'].extend(errors) + results['matches'] = matches + + if len(results['errors']) > 0: + print("Scan finished with errors. Review the results") return results