Malice Yara Plugin
This repository contains a Dockerfile of the Yara malice plugin malice/yara.
REPOSITORY TAG SIZE malice/yara latest 51.9MB malice/yara 0.1.0 51.9MB malice/yara neo23x0 51.3MB NOTE: tag
neo23x0contains all of the signature-base rules
- Install Docker.
- Download trusted build from public DockerHub:
docker pull malice/yara
docker run --rm -v /path/to/rules:/rules:ro malice/yara:neo23x0 FILE $ docker run -v /path/to/malware:/malware:ro -v /path/to/rules:/rules:ro malice/yara:neo23x0 FILE Usage: yara [OPTIONS] COMMAND [arg...] Malice YARA Plugin Version: v0.1.0, BuildTime: 20180902 Author: blacktop - <https://github.com/blacktop> Options: --verbose, -V verbose output --elasticsearch value elasticsearch url for Malice to store results [$MALICE_ELASTICSEARCH_URL] --callback, -c POST results to Malice webhook [$MALICE_ENDPOINT] --proxy, -x proxy settings for Malice webhook endpoint [$MALICE_PROXY] --table, -t output as Markdown table --timeout value malice plugin timeout (in seconds) (default: 60) [$MALICE_TIMEOUT] --rules value YARA rules directory (default: "/rules") --help, -h show help --version, -v print the version Commands: web Create a Yara web service help Shows a list of commands or help for one command Run 'yara COMMAND --help' for more information on a command.This will output to stdout and POST to malice results API webhook endpoint.
{ "yara": { "matches": [ { "Rule": "APT30_Generic_7", "Namespace": "malice", "Tags": null, "Meta": { "author": "Florian Roth", "date": "2015/04/13", "description": "FireEye APT30 Report Sample", "hash0": "2415f661046fdbe3eea8cd276b6f13354019b1a6", "hash1": "e814914079af78d9f1b71000fee3c29d31d9b586", "hash2": "0263de239ccef669c47399856d481e3361408e90", "license": "https://creativecommons.org/licenses/by-nc/4.0/", "reference": "https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf", "super_rule": 1 }, "Strings": [ { "Name": "$s1", "Offset": 29824, "Data": "WGphcG9yXyphdGE=" }, { "Name": "$s2", "Offset": 29848, "Data": "WGphcG9yX28qYXRh" }, { "Name": "$s4", "Offset": 29864, "Data": "T3VvcGFp" } ] } ] } }$ cat JSON_OUTPUT | jq '.[][][] .Rule' "_Microsoft_Visual_Cpp_v50v60_MFC_" "_Borland_Delphi_v60__v70_" "_dUP_v2x_Patcher__wwwdiablo2oo2cjbnet_" "_Free_Pascal_v106_" "_Armadillo_v171_"| Rule | Description | Offset | Data | Tags |
|---|---|---|---|---|
APT30_Generic_7 | FireEye APT30 Report Sample | 0x7480 | "Xjapor_*ata" | [] |
NOTE: Data truncated to 25 characters
- add rules (tagged?) from https://github.com/Yara-Rules/rules
- add rules (tagged?) from https://github.com/Neo23x0/signature-base
Find a bug? Want more features? Find something missing in the documentation? Let me know! Please don't hesitate to file an issue and I'll get right on it.
See CHANGELOG.md
See all contributors on GitHub.
Please update the CHANGELOG.md and submit a Pull Request on GitHub.
MIT Copyright (c) 2016 blacktop