malice yara docker plugin malware malware-analysis malware-detection malware-research golang malice-plugin malware-analyzer

malice-yara

Malice Yara Plugin

This repository contains a Dockerfile of the Yara malice plugin malice/yara.

Dependencies

malice/alpine

Image Tags

REPOSITORY          TAG                 SIZE
malice/yara         latest              51.9MB
malice/yara         0.1.0               51.9MB
malice/yara         neo23x0             51.3MB

NOTE: tag neo23x0 contains all of the signature-base rules

Installation

Install Docker.
Download trusted build from public DockerHub: docker pull malice/yara

Usage

docker run --rm -v /path/to/rules:/rules:ro malice/yara:neo23x0 FILE

Or link your own malware folder

$ docker run -v /path/to/malware:/malware:ro -v /path/to/rules:/rules:ro malice/yara:neo23x0 FILE

Usage: yara [OPTIONS] COMMAND [arg...]

Malice YARA Plugin

Version: v0.1.0, BuildTime: 20180902

Author:
  blacktop - <https://github.com/blacktop>

Options:
  --verbose, -V          verbose output
  --elasticsearch value  elasticsearch url for Malice to store results [$MALICE_ELASTICSEARCH_URL]
  --callback, -c         POST results to Malice webhook [$MALICE_ENDPOINT]
  --proxy, -x            proxy settings for Malice webhook endpoint [$MALICE_PROXY]
  --table, -t            output as Markdown table
  --timeout value        malice plugin timeout (in seconds) (default: 60) [$MALICE_TIMEOUT]
  --rules value          YARA rules directory (default: "/rules")
  --help, -h             show help
  --version, -v          print the version

Commands:
  web   Create a Yara web service
  help  Shows a list of commands or help for one command

Run 'yara COMMAND --help' for more information on a command.

This will output to stdout and POST to malice results API webhook endpoint.

Sample Output

JSON

{
  "yara": {
    "matches": [
      {
        "Rule": "APT30_Generic_7",
        "Namespace": "malice",
        "Tags": null,
        "Meta": {
          "author": "Florian Roth",
          "date": "2015/04/13",
          "description": "FireEye APT30 Report Sample",
          "hash0": "2415f661046fdbe3eea8cd276b6f13354019b1a6",
          "hash1": "e814914079af78d9f1b71000fee3c29d31d9b586",
          "hash2": "0263de239ccef669c47399856d481e3361408e90",
          "license": "https://creativecommons.org/licenses/by-nc/4.0/",
          "reference": "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf",
          "super_rule": 1
        },
        "Strings": [
          {
            "Name": "$s1",
            "Offset": 29824,
            "Data": "WGphcG9yXyphdGE="
          },
          {
            "Name": "$s2",
            "Offset": 29848,
            "Data": "WGphcG9yX28qYXRh"
          },
          {
            "Name": "$s4",
            "Offset": 29864,
            "Data": "T3VvcGFp"
          }
        ]
      }
    ]
  }
}

FILTERED Output JSON:

$ cat JSON_OUTPUT | jq '.[][][] .Rule'

"_Microsoft_Visual_Cpp_v50v60_MFC_"
"_Borland_Delphi_v60__v70_"
"_dUP_v2x_Patcher__wwwdiablo2oo2cjbnet_"
"_Free_Pascal_v106_"
"_Armadillo_v171_"

Markdown

Yara

Rule	Description	Offset	Data	Tags
`APT30_Generic_7`	FireEye APT30 Report Sample	`0x7480`	`"Xjapor_*ata"`	[]

NOTE: Data truncated to 25 characters

Documentation

TODO

add rules (tagged?) from https://github.com/Yara-Rules/rules
add rules (tagged?) from https://github.com/Neo23x0/signature-base

Issues

Find a bug? Want more features? Find something missing in the documentation? Let me know! Please don't hesitate to file an issue and I'll get right on it.

CHANGELOG

See CHANGELOG.md

Contributing

See all contributors on GitHub.

Please update the CHANGELOG.md and submit a Pull Request on GitHub.

License

About

Malice Yara Plugin

https://hub.docker.com/r/malice/yara/

malice yara docker plugin malware malware-analysis malware-detection malware-research golang malice-plugin malware-analyzer

Other

Languages

Language:YARA 99.3%Language:Go 0.4%Language:Makefile 0.2%Language:Dockerfile 0.1%Language:Shell 0.0%