This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Yara Search from an online YARA Rule

This will take two inputs the URL for the location of the YARA rule and the path you want to run the YARA search.

Works on LINUX, MAC and WINDOWS

/********************************************************************************************\
| The admin will supply the URL for an online YARA file and path to search                   |
\********************************************************************************************/
-- YARA SCANNER FROM ON-LINE YARA RULES GIT REPO
-- VARIABLE $$Search File Path$$  FILE PATH
-- VARIABLE $$YARA File URL$$     URL
WITH  
-- Get the relevant YARA Signature Rules 
Signature_Rules(Yara_Rule_URL, Yara_Sig_Rule ) AS (
   SELECT '$$YARA File URL$$' Yara_Rule_URL, 
   CAST('/*'||'$$YARA File URL$$'||'*/'||result AS TEXT) Yara_Sig_Rule-- Insert the URL for the RULE into the Rule (HACK) We need it for the displayed results
   FROM curl 
   WHERE url = '$$YARA File URL$$'
   )

SELECT 
   replace(replace(path, rtrim(path, replace(path, '/', '')), ''), rtrim(replace(path, rtrim(path, replace(path, '/', '')), ''), replace(replace(path, rtrim(path, replace(path, '/', '')), ''), '\', '')), '') File_Name,
   matches, 
   count,
   path,
   replace(SPLIT(sigrule,'*\',1), rtrim(SPLIT(sigrule,'*\',1), replace(SPLIT(sigrule,'*\',1), '/', '')), '') YARA_File, 
   '$$YARA File URL$$' YARA_Rule_URL 
FROM yara WHERE Path LIKE '$$Search File Path$$' AND sigrule IN (SELECT Yara_Sig_Rule FROM Signature_Rules)
ORDER BY count DESC, matches ASC, YARA_File ASC, File_Name ASC

This thread was automatically locked due to age.

0 Sophos User930 over 3 years ago
Well that's cool. Nice one Karl!

If anyone would benefit from a more simplistic example of using the yara and curl tables, how about:

SELECT path, matches, count, strings
FROM yara where path like "C:\windows\%"
AND sigrule = (select result from curl where url = 'raw.githubusercontent.com/.../mz.yara')
AND count > 0

Where:
https://raw.githubusercontent.com/user1/yara/main/mz.yara
contains this basic rule as an example:

rule mz { meta: description="Is the file a MZ" strings: $mz = { 4d 5a } $dos_message = "!This program cannot be run in DOS mode." condition: all of them }

Will give you something like the following results. Not that helpful in its own right but might be a useful example.
Cancel
Vote Up 0 Vote Down

Cancel
0 Karl_Ackerman over 3 years ago in reply to Sophos User930

Thanks love it. Mark Zbikowski
Cancel
Vote Up 0 Vote Down

Cancel
0 Sophos User930 over 3 years ago in reply to Karl_Ackerman

rumbled at last.
Cancel
Vote Up 0 Vote Down

Cancel