Skip to main content

Scan data streams with Yara using various algorithms.

Project description

YARA is an awesome tool. It’s aimed at helping malware researchers to identify and classify malware samples. With YARA you can create descriptions of malware families based on textual or binary patterns contained on samples of those families.

However, sometimes the data you are analyzing needs some manipulation in order to achieve the best results. Yaraprocessor allows you to scan data streams in few unique ways. It supports scanning data streams in discrete chunks, or buffers. These chunks can overlap or be completely disjoint depending on the ‘processing_mode’ selected.

Yaraprocessor was originally written for Chopshop. Combined with Chopshop, it allows for dynamic scanning of payloads plucked from network packet capture. Historically, signature based tools operate over the entire PCAP file. With Chopshop and Yaraprocessor, YARA can be ran against individual packet payloads as well as a concatenation of some or all of the payloads. Ideally, this makes writing signatures easier. Check out the Chopshop module yarashop to see it in action!

Dependencies

Installation

Simply clone the repository via git:

$ git clone https://github.com/MITRECND/yaraprocessor.git

Or download the latest release from our github page.

Once you have the code, run the following command inside the Yaraprocessor directory:

$ python setup.py install

Using it!

While yaraprocessor was built for use with Chopshop, it aims for simple and straightforward usage and integration with other tools. Simply import yaraprocessor, instantiate a “Processor” object, and start analyzing data.

from yaraprocessor import Processor

# Yara rules are passed as a list of filenames
p = Processor(['/full/path/to/rules, relative/path/to/other/rules'])

# By default, the processor will operate in 'raw' mode, meaning it
# will scan whatever data you give it. Note that in 'raw' mode, you
# are required to call 'analyze', which will return yara matches if
# found.
p.data = data
results = p.analyze()

# 'analyze' returns yara matches and also stores them in 'p.results'
# for convenient access.
if p.results:
    for match in p.results:
        print match

# When operating in other processing modes, data will be continuously
# buffered and automatically processed when the buffer fills. In these
# modes, you don't have to ever call 'p.analyze'; instead simply check
# for results.

if p.results:
    for match in p.results:
        print match

Contributing

We love to hear from people using our tools and code. Feel free to discuss issues on our issue tracker and make pull requests!

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

yaraprocessor-1.1.0.tar.gz (7.0 kB view details)

Uploaded Source

Built Distribution

yaraprocessor-1.1.0-py2-none-any.whl (10.8 kB view details)

Uploaded Python 2

File details

Details for the file yaraprocessor-1.1.0.tar.gz.

File metadata

File hashes

Hashes for yaraprocessor-1.1.0.tar.gz
Algorithm Hash digest
SHA256 23ea97e6dd8090092fc6c329d0d354fe47413b2c9c871918ea77da87ed05bba9
MD5 36b8ee793412064376c3874bd0d0be30
BLAKE2b-256 a0308905acd268cdc4d288fd4f660766199f239faf13aa83dc874fe6941d10e6

See more details on using hashes here.

File details

Details for the file yaraprocessor-1.1.0-py2-none-any.whl.

File metadata

File hashes

Hashes for yaraprocessor-1.1.0-py2-none-any.whl
Algorithm Hash digest
SHA256 b0f559b25058ab4c034e197adcae6632e3c8bf94dd23113d6743e90621147656
MD5 ca3116fad11b6fe48ff8eaf1bc056ab9
BLAKE2b-256 17d4516ab8b713bdc44153f7cde4f37a3d0f676ae17eaba3eebc83ed76db5809

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page