inquest / awesome-yara Goto Github PK

Elastic Security published their Yara rules which might be included in your list of public Yara repositories.
https://github.com/elastic/protections-artifacts/tree/main/yara

If you could add my repo of YARA rules to this, that'd be great.

Recently started it but rules will be added frequently.

https://github.com/deadbits/yara-rules

Guideline

• Yara Performance Guidelines
• YARA-Style-Guide

Videos & Slides

• Finding Evil with YARA
• SAS2018: Finding aliens, star weapons and ponies with YARA
• Costin Raiu - Combining code similarity with Yara to find goodies
• YARA Rule Processing Sessions - Florian Roth
• Upping the APT hunting game: learn the best YARA practices from Kaspersky
• Star-Gazing | Using a Full Galaxy of YARA Methods to Pursue an Apex Actor | By Greg Lesnewich
• Lightweight Binary Similarity - YARA Using PE Features for Quick Wins
• DEF CON 26 - Andrea Marcelli - Looking for the perfect signature an automatic YARA rules

Good day,

I recently started a Github repo containing some of my personally developed rules:
https://github.com/bartblaze/Yara-rules

These are all TLP:White. Rules are updated from time to time. If you would consider adding them, that'd be great!

Thanks! 😃

Repo I made a little while ago -

FARA, or Faux YARA, is a simple repository that contains a set of purposefully erroneous Yara rules. It is meant as a training vehicle for new security analysts, those that are new to Yara and even Yara veterans that want to keep their rule writing (and debugging) sharp.

https://github.com/bartblaze/FARA

Best section would be Tools - if it looks good to be added, I'll create a PR 😄

The EventShot script simply takes a snapshot of the event log(s) you select, then takes a second snapshot after you're done with your analysis, diffs the two files and parses the output. EventScan, can either scan the live system event logs against the EventLogIndicators directory of yara sigs or you can place event log files in the SCAN dir and search it with your yara sigs.
https://github.com/reed1713/ELAT

OPEN QUESTION:

Off and on I've been looking for a Yara daemon.

I'm processing mail, looking for spam and malware. I write milters to do the processing. The Mail Transfer Agent (MTA) -- Sendmail in my case -- hands the mail (as it arrives, and before delivery to any mailbox) to my milters for on-the-fly processing as appropriate. The milters tell Sendmail if a message is to be accepted, rejected, or whatever. Don't worry about that last one for now...

The milters use Yara to scan the mail for assorted indicators of badness. Like the Sendmail processes which use them, the milters are themselves daemons. Sendmail handles many mail messages simultaneously by forking a copy of itself for each concurrently processed mail message; likewise many milter daemons are forked so that there is one available for each concurrent mail message.

If a milter process decides that it needs to scan a mail message using Yara, then it

(1) writes a file to /tmp/ which contains the message to be scanned, then
(2) forks a new process from /usr/bin/yara to scan this file, then
(3) waits until the new process terminates, so that it can
(4) collect the output of the yara process back into the milter for decision-making etc., and finally
(5) deletes the file from /tmp/.

This all works fine but can be a little expensive.

I would like to be able to run a Yara daemon which could serve in place of the tool at /usr/sbin/yara and which my milters could use instead. That way, they wouldn't have to write (nor delete) any files nor create a new process for each scan. I suggest /usr/sbin/yarad might be a good name for the tool.

I envisage connecting to the daemon via a socket. As I'm procesing mail, of course the daemon would need to be multi-threaded, or at least to be able to process multiple connections simultaneously and independently. Ideally [B]for each scan[/] the names of the files which contain the rules to be used, any external Yara variable definitions, and the data to be scanned would all be delivered to the scanner via the socket connection. If it's difficult or expensive to do all that (and I can imagine it might well be an issue) then the daemon could be told when it starts up which rules files to use and perhaps even the values of any external variables. One could run several such daemons, each with a different ruleset and a different set of external variables, which would be less convenient but probably manageable.

Do you know if such a thing exists? After several search attempts I've found nothing which fits the bill.

If not, do you think it would make sense to implement something along these lines?

https://travis-ci.org/github/InQuest/awesome-yara/builds/664072488

What happened? It still exits. I saw it got deleted from a repo.

• no yara rules in there (but sigma which is different), remove it? https://github.com/Loginsoft-Research/detection-rules

• mikesxrs YARA Rules Collection might be the biggest but the last change was in 16 Nov 2018 and 2 years is a lot in this business. so maybe pass on the trophy?

Please add yaids, a Yara-Based IDS, to the list.

More information: yaids.io / Github Repo

PR incoming.

please add Yara Scan, a platform to submit files to scan them with many yara rules
URL: http://zeroq.ydns.eu/