-
-
Notifications
You must be signed in to change notification settings - Fork 482
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement YARA rules #17
Comments
@eth0izzle does your ideal implementation
For 2 and 3, a cli option could be added to choose the default matching engine. I'm all for number 1. Easier to maintain just 1 code path. But what do you see being more merge-able, from a maintainer's standpoint? This would probably close out #10 too, yeah? |
Could also potentially use both. Since yara won't do filename or extension matching, perhaps we leave the yaml config file for the Or some variation of all of the above. |
Definitely the first option. I've already written the code for this and it seems to work well, just a little slow. I need to do further testing and cleanup. We can pass in YARA variables to check the extension, path and file name. Have you made a start on this @audibleblink ? |
I haven't @eth0izzle. Just spent some of today reading through the project, getting a feel for where I'd put the code for each option. Glad I checked! |
The main problem is it's a bit of a bitch to setup the libyara on a platform other than Linux. See https://github.com/hillu/go-yara#installation I'm thinking the best way forward is running shhgit in a docker container. What do you think? |
Would certainly make it easier. Docker is fine. |
Hey @audibleblink I've just pushed the code to the v2 branch which includes the YARA rules and a lot of other stuff + code cleanup - definitely a WIP for now but would appreciate if you could test when you get a chance. |
Oh awesome! Initial reports:
Runs great otherwise. Love the work on the rules. Works with the standalone edit: just noticed the |
To replace the current yaml signatures. This will allow us to create mroe powerful rules. For example to find GitHub API keys we would regex on
([a-f\d]{40})
, but currently that would produce a lot of false positives (it's a SHA1 hash). With a YARA rule we could do:The text was updated successfully, but these errors were encountered: