The idea is to find log files and journald files on Linux, EVTX logs on Windows in their well-known locations and scan them for simple IOCs or YARA rules.

After installing gnu-make and openssl via homebrew the make build currently fails.

…such as OS version, language, active networ adapters…

I don't think that the --report flag works correctly

I think that, in order to create a TSJSON output file called 'log.json' it is supposed to be used like:

--report='log.json;format=tsjson'

but this isn't the case - this creates 2 log files called 'log.json' and 'format=tsjson'.

I believe the problem is that the simpleStringSlice in config.go is splitting the flag into 2 parts before it gets to target.go which tries to do the same thing - it is therefore impossible currently to set the output to be in the TSJSON format. My tiny patch is to change line 30 of target.go to use "@" as the delimiter for format, rather than ";".

Just as a side note, using ";" as a command-line delimiter adds an additional layer of complexity since it's usually a shell command delimiter so bash reads "spyre -r log.json;format=json" as "spyre -r log.json" and "format=json" - "@" is much easier to use. And "," would be an easier delimiter for multiple report files too.

Hi hillu,

it might be useful to get the information in the log which yara rule matched. Also it might be helpful to get the calling commandline at beginning of the log so you can reconstruct what you have done before (not sure about that)?

The shown hostname is not necasserarily the same host, which is analyzed. If I scan a mounted folder/partition an optional switch for giving the hostname might be useful.

Thx

Hi,

the current json output that is generated for timesketch cannot be imported.
The problem is that the Spyre output file starts with

[
{<JSON-DATA>}
,
...
]

Timesketch cannot handle this. You need to remove "[","]" and "," from the file. Also timesketch expects that the file has the file extension: .jsonl.

It would be great if this could be adjusted in Spyre.

Thx
Sven

Hi!

Are there any plans to implement plain sigma support for log scanning?

Would be a great feature to have the ability to scan log files with plain sigma rules alongside to the existing yara scanning! Depending on attacker / malware behavior Sigma is better suitable than yara in some cases.

As far as I know there is no (free) tool out there that has this capability.

Thx and greetings

The platform-specific equivalents of netstat can be used to find currently- or recently-active TCP or UDP sockets.

It would be very useful for some cases if the command-line config could be included in config.Fs as a simple file so that everything could be wrapped up into a single binary that doesn't require setting any custom flags to run.

Ideally, the config would be overwritten by any command-line config flags.

This would allow for someone doing IR to compile a single file that would have any custom settings and yara rules built into it so that all that needs to be done is for the file to be run on any suspected vulnerable host. Where the hosts are managed by other organisations, it may be difficult for the IR team to ensure that flags are correctly set.

I did not get to do that before losing access to the repository.
(Preferably merge #10 first, though.)

Cheers,
-Hilko

Currently, (spyre/modules.{System,File}Scanner).Init functions can return a single error value, indicating success or failure. There needs to be at least a third state:

• Success = Module initiialized – it should be used normally.
• Error = Module found configuration but could not parse it (user error) – spyre initialization should be aborted.
• Ignore = No configuration available or some API cannot be accessed – scans are run without this module

By moving spyre to the latest go-yara version we should update the supported yara version to 4.x

I believe that the CI setup was broken due to invalidated credentials that I had granted towards CircleCI when my account was removed from the @DCSO organization (cf.). Please fix so tagged builds are released with a binary build. :-)

If you copy&paste procscan.yar and filescan.yar into a VMWare VM, then all procscan rules will match on vmtoolsd.exe process.

The globel config.MaxFileSize (--max-file-size) parameter should not only be checked in the YARA file scanner module.

For widespread checks across a large (and poorly managed) IT estate, it would be useful if spyre could support https:// URLs in addition to file:// ones.

If all spyre did was send a POST to the URL given containing the body of the report then the IR team could manage collecting all the reports and processing them centrally without having to work on collecting the logs from each instance of spyre that ran (and without having to get IT management to correctly set up a file share that all hosts can access to deposit logs centrally).

TIL that there has been an effort to provide a Make-based, stable cross-compiling environment going on since at least 2007: MXE. Perhaps we can use this for building the third-party dependencies.

Hi, everyone

 I have successfully compiled Spyre. However, When I run it on windows10, some errors occured:
 1) stat ioc.json, the system cannot find the file specified.
 2)yara init stat filescan.yar the system cannot find the file specified
 3) yara init state procscan.yar the system cannot find the file specified

 I think this may be caused by failing compiled yara.go.

 Could someone give me some advice about this?
 Thanks

What's the right syntax for the file? I can't seem to get it to find keys.

{ "key": "\\HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows Defender\\Features\\MpPlatformKillbitsFromEngine", "name": "FeaturesMpPlatformKillbitsFromEngine", "description": "testing the key function" }

Hi, I don't know how to build for 32-bit program of linux on 64-bit linux using musl-gcc, just like the spyre of i386-linux-musl, which I don't know how to generate on 64-bit linux. I have searched a lot,but don't find the solution.Could you help me out? Thanks in advance.

When the YARA compiler complains that rules will be slowing down scanning, it is right, of course. We should simply reject such rules (and possibly make the behavior configurable at a later point, should the need arise.)

Good rules to test this with are the auto-generated rulesets from Intezer.

Instead of using plain archive/zip, we might use github.com/alexmullins/zip or github.com/yeka/zip. Next question: How to provide the password in a non-obvious way?

There are a tons of FP matches on the WinDefender svchost process. Testet on Win 7 32bit.

note: FindWindowA

Hi, as I'm trying to use spyre, I successfully installed all packages. On a Kali Linux, I'm trying to launch the spyre running file. As I don't know much about yara scanning modules, I copy/pasted the filescan.yar and procscan.yar files from spyre/scanner.yara. Then, launching the running program, here's the error that pops up :
2021/10/25 14:26:13 Error initializing YARA-file module: syntax error, unexpected identifier
2021/10/25 14:26:13 Error initializing YARA-proc module: syntax error, unexpected identifier

Would you mind providing me with help concerning this error ? If it wouldnt bother you, maybe having an example file of these .yara files, and kind of a userguide to know how and where to put these said-scanning modules.
Thank you very much for your help and for providing such an interesting tool,

For better or worse, go dep fallen out of fashion, so we might as well get with the program.

(Of course this will not rid us of building the 3rd-party libraries.)

At present the report file (either type) does not include a record of any files which were not scanned because the file could not be opened.

It would be useful to include these (at least because it might indicate that the scan was run with the incorrect privileges).

My hacky fix is to add a line to spyre.go after the current line 79 saying:
report.AddStringf(f, "Could not open file %s", path)
this isn't perfect as it's a different format from the other file warnings (like "Skipping large file") but I can't use AddFileInfo as this breaks (not 100% sure where, I suspect it's because the file 'f' isn't open-able so it can't be Stat'd by formatFileEntry, but I'm not sure).

There are a few problems regarding runtime configuration, e.g.:

1. configuration via the command line (and/or a params.txt file is clumsy as it is and will become worse as we add modules.
2. Thus far, spyre looks opportunistically for YARA files, either in the directory that holds the executable, or in an embedded executable. This is more complicated then necessary and error-prone for fragments of not-so-well-written YARA rule sets. The ad-hoc solution that was added for the registry and eventobj modules has similar problems.

I am currently leaning toward using a YAML-based configuration and mapping command line parameters directly to YAML document paths.

Every module could then have its default "seed" file(s) and a section in the configuration file where those files can be overridden.

The import statement when parsing YARA rules should be mapped to the filesystem abstraction that is used to read from the appended ZIP file if available. Currently, YARA will happily access the filesystem directly which is not what we want...

Note: (*yara.Compiler).SetIncludeCallback()

Maybe just inform about the list of skipped files at the end of the scan. It would significantly improve the readability of spyre.log.

spyre does not build on Fedora because make fails with

3rdparty.mk:14: *** (Currently) unsupported native triplet x86_64-redhat-linux.  Stop.

See comment in #1