Doesn't using my own yara rule file to detect linux elf malware file?

Question

Doesn't using my own yara rule file to detect linux elf malware file?

linlih opened this issue 4 years ago · comments

as the title says

linlih · Answer 1 · Sun Jan 17 2021 17:20:42 GMT+0800 (China Standard Time)

In this file : src/check.py, following code:

# Added by Yang
def is_your_target(filename, yara_file):
    if not os.path.exists("rules_compiled/your_target"):
        os.mkdir("rules_compiled/your_target")
    if os.path.isdir(yara_file):
        for n in os.listdir(yara_file):
            if not os.path.isdir("./" + n):
                try:
                    rule = yara.compile(yara_file + "/" + n)
                    rule.save("rules_compiled/your_target/" + n)
                    rule = yara.load("rules_compiled/malware/" + n)
                    m = rule.match(filename)
                    if m:
                        return m
                except:
                    pass
            else:
                pass
    elif os.path.isfile(yara_file):
        try:
            rule = yara.compile(yara_file)
            rule.save("rules_compiled/your_target/" + yara_file)
            rule = yara.load("rules_compiled/malware/" + yara_file)
            m = rule.match(filename)
            if m:
                return m
        except:
            pass
    else:
        return "[x] Wrong type of input!"

why the rule save to your_target directory, and load from malware directory, it doesn't make any sense

Evan-Sa · Answer 2 · Fri Jan 22 2021 15:30:05 GMT+0800 (China Standard Time)

Hello, can you provide more information , an example of what is failing and the output error. I do not full understand from your description what is failing.