Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: [yarascan] do not launch scan, if there are no valid rules #102

Merged
merged 2 commits into from
Oct 8, 2024
Merged

fix: [yarascan] do not launch scan, if there are no valid rules #102

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
4bdda48
fix: [yarascan] do not launch scan, if there are no valid rules
dario-br Oct 4, 2024
12e1864
chg: [readme] now includes Yarascan documentation
dario-br Oct 4, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -143,6 +143,10 @@ Note that for a reasonable sysdiagnose log output, we recommend the following ba
- Minimum 64 GB of HDD space just for timesketch data (add some more GBs for the OS and OS upgrades, etc.)
- SSDs (NVMEs) for the data.

## Yarascan

Using YARA rules are an easy and flexible way of spotting 'evil', the Yarascan analyser will help you out with that. It looks for YARA rules within __.yar__ files saved in the `./yara` folder or in the one designated by the environment varirable `SYSDIAGNOSE_YARA_RULES_PATH`.

# UnifiedLogs
This unifiedlogs parser tool is natively provided on a MacOS system. Fortunately some entities developed a linux compatible parser.

Expand Down
40 changes: 22 additions & 18 deletions src/sysdiagnose/analysers/yarascan.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,34 +36,38 @@ def execute(self):
results = {'errors': [], 'matches': []}

if not os.path.isdir(self.yara_rules_path):
raise FileNotFoundError(f"Could not find the YARA rules folder: {self.yara_rules_path}")
raise FileNotFoundError(f"Could not find the YARA rules (.yar) folder: {self.yara_rules_path}")

rule_files, errors = self.get_valid_yara_rule_files()
if errors:
results['errors'] = errors
if len(rule_files) == 0:
results['errors'].append(f"No valid YARA rules were present in the YARA rules folder: {self.yara_rules_path}")
results['errors'].append(f"No valid YARA rules (.yar) were present in the YARA rules folder: {self.yara_rules_path}")
rule_filepaths = {} # we need to convert the list of rule files to a dictionary for yara.compile
for rule_file in rule_files:
namespace = rule_file[len(self.yara_rules_path):].strip(os.path.sep)
rule_filepaths[namespace] = rule_file

matches, errors = YaraAnalyser.scan_directory(
[
self.case_parsed_data_folder,
self.case_data_folder
],
rule_filepaths,
ignore_files=[
self.output_file, # don't match on ourselves
],
ignore_folders=[
glob.glob(os.path.join(self.case_data_subfolder, 'system_logs.logarchive')).pop(), # irrelevant for YARA rules
]
)
if errors:
results['errors'].extend(errors)
results['matches'] = matches
if len(rule_files) > 0:
matches, errors = YaraAnalyser.scan_directory(
[
self.case_parsed_data_folder,
self.case_data_folder
],
rule_filepaths,
ignore_files=[
self.output_file, # don't match on ourselves
],
ignore_folders=[
glob.glob(os.path.join(self.case_data_subfolder, 'system_logs.logarchive')).pop(), # irrelevant for YARA rules
]
)
if errors:
results['errors'].extend(errors)
results['matches'] = matches

if len(results['errors']) > 0:
print("Scan finished with errors. Review the results")

return results

Expand Down
Loading