Currently Yara rules are compiled and embedded as an asset in the binary. It would be good to provide a way to encrypt the ruleset (e.g. with an AES key) in order to make any extraction a little bit harder to do. This also should apply for ruleset updates delivered through the server.

I can't find out where to set the admin username or password.

After running the "python3 manage.py migrate" the auth tables within the DB seem to be empty.

Can you please provide some guidance.

Currently the instructions only show how to compile a dynamically linked binary for Linux, and to execute it on a different host it will require to install libyara3. Need to create easy instructions to compile a fully statically linked binary on Linux, possibly using musl-gcc.

Currently building 64bit Windows binary raises some issues with architecture differences with Go's linker.

$GOPATH/pkg/tool/linux_amd64/link: running x86_64-w64-mingw32-gcc failed: exit status 1
/usr/bin/x86_64-w64-mingw32-ld: i386 architecture of input file `/tmp/go-link-888075984/000000.o' is incompatible with i386:x86-64 output
collect2: error: ld returned 1 exit status

Need to find the appropriate procedure to build 64bit successfully.

Can you please provide some details around how the kraken agent communicates with the backend?
Especially how the kraken agent registers with the Web UI.

Is there a specific port required for this communiction - I can see that this occures via SSL.

Is the communication encrypted - I can see that it is encrypted via SSL

Is there some auth mutually agreed or used between the agents and the Web UI - I can see that it is a request made from the Agent to the Web UI.

Thanks again.

It might be obvious to an experienced Django dev but I can't work out how to properly populate the database for the server component.

I created a kraken database in MySQL and the user + password to go with it (and updated the relevant parts of .env accordingly) so 'manage.py dbshell' works to connect correctly. I ran 'manage.py migrate' and 'manage.py createsuperuser' so I can log into the admin web UI but the DB lacks the hosts, detections, downloads or heartbeat tables so the hosts, detections and api end-points don't work

Would it be possible to add to the Web Interface instructions a HOWTO on creating the DB tables correctly?

Linux Build (Debian 9, Debian 10 and Ubuntu 20.04)
When following the instructions to use ./configure --without-crypto
Result = Not being able to use rules with HASH and/or IMPHASH.

I have sucessfully compiled yara with cryto enabled but when i try to compile kraken, I get multiple errors, which i belive are associated with linking to openssl libraries:

/usr/bin/ld: /usr/local/lib/libyara.a(pe.o): in function imphash': pe.c:(.text+0x11ee): undefined reference to MD5_Init'

Is there a way to resolve this, so i can use PE and IMHASH yara rules?

NOTE: I'm also using yara 4.0.1. When I use the same signatures on my MacOS (using the instructions you provided), it builds successfully and I can use rules with HASH and IMPHASH.

When I follow the instructions you provided but use rules with PE and IMPASH I get this when I try to compile using:
BACKEND=test.com RULES=signature-base/yara/ make linux

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x4b2b42]

goroutine 1 [running]:
github.com/hillu/go-yara/v4.(*Rules).Save.func2(0x0, 0xf368c0, 0xf368c0)
/root/go/pkg/mod/github.com/hillu/go-yara/[email protected]/rules.go:184 +0x22
github.com/hillu/go-yara/v4.(*Rules).Save(0x0, 0x4e234d, 0x5, 0x0, 0x0)
/root/go/pkg/mod/github.com/hillu/go-yara/[email protected]/rules.go:184 +0x8c
main.main()
/root/kraken/compiler/main.go:78 +0x16f
make: *** [Makefile:38: rules-compiler] Error 2

It might also be that the linux build does not include hash as a module during "make", whilst in the other builds (MacOS and Windows), hash is made as a module.

Any help you can provide to help me get this working on Linux would be greatly appreciated.

Thanks in advance.

Can you please an example of what can be added to the config.yml?

I can see that the base_domain is one setting, but from the code, I can see that there are other variables as well.
Can any other variables be set within this file?

Is it possible to add authentication (username and password) to the api requests?

Use case - Agent registers with the Web UI server, but I have enabled .htpasswd to prevent everyone from viewing the data. As such the agent is not able to register. If I remove the .htpasswd then all the data is visible to everyone without authentication.

I believe that this enhancement could be accomplished by modifiying the api.go file using resty.User and altering the SetBody.

This enhancement would be very welcome.

Thankyou.

[rules-compiler] Compiling Yara rules...
[rules-compiler] Launching binary resource builder...
[builder] Building Linux executable...

github.com/botherder/kraken

/usr/local/go/pkg/tool/linux_amd64/link: running gcc failed: exit status 1
/bin/ld: cannot find -ldl
/bin/ld: cannot find -lcrypto
/bin/ld: cannot find -ldl
/bin/ld: cannot find -lz
/bin/ld: cannot find -lpthread
/bin/ld: cannot find -lm
/bin/ld: cannot find -lc
collect2: error: ld returned 1 exit status

make: *** [/home/mytest/kraken-main/build/linux/kraken] Error 2

Hi,
I stumbled over a problem which took me quite some time to get a grip on.
I was testing a huge set of yara rules using kraken inside a Windows Test VM. The compiler worked fine, so the yara rule was syntactically correct. However, I think there is an issue with rules which don't work during runtime. As an example see the following two rules:

rule test1 {
   condition:
      for any i in (0 .. pe.number_of_signatures) : (
         pe.signatures[i].subject contains "Solid Loop" or
         pe.signatures[i].subject contains "Ultimate Computer Support"
      )
}

rule test2 {
   condition:
    filename == "test.txt"
}

I believe test1 condition might be incorrect during runtime because of the missing MZ header check uint16(0) == 0x5a4d. (test1 is a striped down version of https://github.com/Neo23x0/signature-base/blob/master/yara/apt_turla_gazer.yar). Using this version, test2 is never executed on kraken. (This also means on a huge ruleset, all other rules are not executed)

When I add the MZ header condition to test1, test2 rule is working as expected. This behavior leads to a whole lot of yara rules not being tested and without kraken logging any problem.

I'm not sure if this is a go-yara or a kraken issue, however using yara64.exe with the compiled ruleset I cannot see this behavior. Do you have a guide on how to debug such a scenario?