GUI for Volatility Framework and Yara
1. InstallationClone repo
default forder for yara sigs is /yara_rules
Показаны сообщения с ярлыком yara. Показать все сообщения
Показаны сообщения с ярлыком yara. Показать все сообщения
22.12.2015
YaVol - GUI for Volatility Framework and Yara
1. InstallationClone repo
08.06.2015
Yara - knife for malware researchers + Flowinspect
http://plusvic.github.io/yara/
https://xakep.ru/2011/10/31/57409/
https://yaragenerator.com/
https://github.com/Xen0ph0n/YaraGenerator
https://github.com/Yara-Rules/rules
$ yara
usage: yara [OPTION]... [RULEFILE]... FILE | PID
Сценарий называется clamav_to_ yara.py и написан Мэтью Ричардом (bit.ly/ij5HVs). Скачиваем скрипт и конвертируем базы:
$ python clamav_to_yara.py -f daily.cvd -o clamav.yara
Сканирование папки с использованием сигнатуры выполняется одной единственной командой:
$ yara -r clamav.yara /pentest/msf3/data
Простой пример правила:
The Yara rule will alert on the string of the MD5 hash. Now we need some code that will open a file, hash the file and then scan the hash value using the Yara rule. (python)
Flowinspect:
Look at live HTTP sessions:
./flowinspect.py -d eth0 -c "^(GET|POST|HEAD|PUT).*" -f "tcp and port 80" -o print
Inspect HTTP streams for Metasploit ie_cgenericelement_uaf exploit (CVE-2013-1347):
./flowinspect.py -p cgenericelement.pcap -s 'CollectGarbage\(\).*mstime_malloc\({shellcode:' -b32
Use a Yara signature to look for UPX packed binaries on STC direction:
./flowinspect.py -p e03a7f89a6cbc45144aafac2779c7b6d.pcap -R upx.yara
Obtain and install pynids. For those on Ubuntu, please make sure you have libpcap-dev, libnet1, libnet1-dev, and libglib2.0-dev packages pre-installed before installing pynids. Also, you might have to manually install libnids that comes bundled with pynids using the usual configure && make && make install process.
https://xakep.ru/2011/10/31/57409/
https://yaragenerator.com/
https://github.com/Xen0ph0n/YaraGenerator
https://github.com/Yara-Rules/rules
$ yara
usage: yara [OPTION]... [RULEFILE]... FILE | PID
Сценарий называется clamav_to_ yara.py и написан Мэтью Ричардом (bit.ly/ij5HVs). Скачиваем скрипт и конвертируем базы:
$ python clamav_to_yara.py -f daily.cvd -o clamav.yara
Сканирование папки с использованием сигнатуры выполняется одной единственной командой:
$ yara -r clamav.yara /pentest/msf3/data
Простой пример правила:
rule silent_banker : banker
{
meta:
description = "This is just an example"
thread_level = 3
in_the_wild = true
strings:
$a = {6A 40 68 00 30 00 00 6A 14 8D 91}
$b = {8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9}
$c = "UVODFRYSIHLNWPEJXQZAKCBGMT"
condition:
$a or $b or $c
}
В этом правиле мы говорим YARA, что любой файл, который содержит хотя бы одну из строк-семплов, описанных в переменных $a, $b, $c, должен классифицироваться как троян silent_banker. И это очень простое правило. На деле рулесы могут быть гораздо сложнее (мы об этом поговорим ниже).{
meta:
description = "This is just an example"
thread_level = 3
in_the_wild = true
strings:
$a = {6A 40 68 00 30 00 00 6A 14 8D 91}
$b = {8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9}
$c = "UVODFRYSIHLNWPEJXQZAKCBGMT"
condition:
$a or $b or $c
}
Yara + MD5
Yara does not support MD5 hashing.
We will now need to create a Yara rule with the MD5 hash as a string:
rule MD5_BAD_FILE { strings: $md5 = "A1EB325F994E5A1720C0E401731B5ED9" nocase condition: $md5 }
The Yara rule will alert on the string of the MD5 hash. Now we need some code that will open a file, hash the file and then scan the hash value using the Yara rule. (python)
import hashlib import sys import imp
import yara from StringIO import StringIO def MD5(d): # d = buffer of the read file # This function hashes the buffer # source: http://stackoverflow.com/q/5853830 if type(d) is str: d = StringIO(d) md5 = hashlib.md5() while True: data = d.read(128) if not data: break md5.update(data) return md5.hexdigest() def yaraScan(d): # d = buffer of the read file # Scans SWF using Yara # test if yara module is installed # if not Yara can be downloaded from http://code.google.com/p/yara-project/ try: imp.find_module('yara') import yara except ImportError: print '\t[ERROR] Yara module not installed - aborting scan' return # test for yara compile errors try: r = yara.compile(r'md5.yara') except: pass print '\t[ERROR] Yara compile error - aborting scan' return # get matches m = r.match(data=d) # print matches for X in m: print '\t[BAD] Yara Signature Hit:', X return def main(): try: f = open(sys.argv[len(sys.argv)-1],'rb+') except Exception: print '[ERROR] File can not be opended/accessed' return yaraScan(MD5(f)) if __name__ == '__main__': main()
Example:
python yaraMD5.py "6UHp0dCM12c[1].swf"Flowinspect:
Look at live HTTP sessions:
./flowinspect.py -d eth0 -c "^(GET|POST|HEAD|PUT).*" -f "tcp and port 80" -o print
Inspect HTTP streams for Metasploit ie_cgenericelement_uaf exploit (CVE-2013-1347):
./flowinspect.py -p cgenericelement.pcap -s 'CollectGarbage\(\).*mstime_malloc\({shellcode:' -b32
Use a Yara signature to look for UPX packed binaries on STC direction:
./flowinspect.py -p e03a7f89a6cbc45144aafac2779c7b6d.pcap -R upx.yara
Obtain and install pynids. For those on Ubuntu, please make sure you have libpcap-dev, libnet1, libnet1-dev, and libglib2.0-dev packages pre-installed before installing pynids. Also, you might have to manually install libnids that comes bundled with pynids using the usual configure && make && make install process.
Подписаться на:
Сообщения (Atom)