inquest / awesome-yara Goto Github PK
View Code? Open in Web Editor NEWA curated list of awesome YARA rules, tools, and people.
License: Other
A curated list of awesome YARA rules, tools, and people.
License: Other
Elastic Security published their Yara rules which might be included in your list of public Yara repositories.
https://github.com/elastic/protections-artifacts/tree/main/yara
If you could add my repo of YARA rules to this, that'd be great.
Recently started it but rules will be added frequently.
Good day,
I recently started a Github repo containing some of my personally developed rules:
https://github.com/bartblaze/Yara-rules
These are all TLP:White. Rules are updated from time to time. If you would consider adding them, that'd be great!
Thanks! ๐
Repo I made a little while ago -
FARA, or Faux YARA, is a simple repository that contains a set of purposefully erroneous Yara rules. It is meant as a training vehicle for new security analysts, those that are new to Yara and even Yara veterans that want to keep their rule writing (and debugging) sharp.
https://github.com/bartblaze/FARA
Best section would be Tools - if it looks good to be added, I'll create a PR ๐
The EventShot script simply takes a snapshot of the event log(s) you select, then takes a second snapshot after you're done with your analysis, diffs the two files and parses the output. EventScan, can either scan the live system event logs against the EventLogIndicators directory of yara sigs or you can place event log files in the SCAN dir and search it with your yara sigs.
https://github.com/reed1713/ELAT
OPEN QUESTION:
Off and on I've been looking for a Yara daemon.
I'm processing mail, looking for spam and malware. I write milters to do the processing. The Mail Transfer Agent (MTA) -- Sendmail in my case -- hands the mail (as it arrives, and before delivery to any mailbox) to my milters for on-the-fly processing as appropriate. The milters tell Sendmail if a message is to be accepted, rejected, or whatever. Don't worry about that last one for now...
The milters use Yara to scan the mail for assorted indicators of badness. Like the Sendmail processes which use them, the milters are themselves daemons. Sendmail handles many mail messages simultaneously by forking a copy of itself for each concurrently processed mail message; likewise many milter daemons are forked so that there is one available for each concurrent mail message.
If a milter process decides that it needs to scan a mail message using Yara, then it
(1) writes a file to /tmp/ which contains the message to be scanned, then
(2) forks a new process from /usr/bin/yara to scan this file, then
(3) waits until the new process terminates, so that it can
(4) collect the output of the yara process back into the milter for decision-making etc., and finally
(5) deletes the file from /tmp/.
This all works fine but can be a little expensive.
I would like to be able to run a Yara daemon which could serve in place of the tool at /usr/sbin/yara and which my milters could use instead. That way, they wouldn't have to write (nor delete) any files nor create a new process for each scan. I suggest /usr/sbin/yarad might be a good name for the tool.
I envisage connecting to the daemon via a socket. As I'm procesing mail, of course the daemon would need to be multi-threaded, or at least to be able to process multiple connections simultaneously and independently. Ideally [B]for each scan[/] the names of the files which contain the rules to be used, any external Yara variable definitions, and the data to be scanned would all be delivered to the scanner via the socket connection. If it's difficult or expensive to do all that (and I can imagine it might well be an issue) then the daemon could be told when it starts up which rules files to use and perhaps even the values of any external variables. One could run several such daemons, each with a different ruleset and a different set of external variables, which would be less convenient but probably manageable.
Do you know if such a thing exists? After several search attempts I've found nothing which fits the bill.
If not, do you think it would make sense to implement something along these lines?
What happened? It still exits. I saw it got deleted from a repo.
no yara rules in there (but sigma which is different), remove it? https://github.com/Loginsoft-Research/detection-rules
mikesxrs YARA Rules Collection might be the biggest but the last change was in 16 Nov 2018 and 2 years is a lot in this business. so maybe pass on the trophy?
Please add yaids
, a Yara-Based IDS, to the list.
More information: yaids.io / Github Repo
PR incoming.
please add Yara Scan, a platform to submit files to scan them with many yara rules
URL: http://zeroq.ydns.eu/
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.