YARA Scanner

This takes the liklely name of the YARA rule you want to run and search to see if it can find that rule or set of rules and runs a YARA scan on the specified path.

Works on LINUX MAC and WINDOWS

/********************************************************************************************\
| We will refrence the public GIT Repo for Yara rules at https://github.com/Yara-Rules/rules |
| The GIT repo is activily being updated and we want access to current published rules so    |
| we will first get the index of rules and see which of those match our desired rule name    |
| With the list of yara files that match what we are looking for we will then pull the       |
| signature rule for each of them and execute a YARA search for each rule in the target file |
| path selected by the admin. The current repo has only 480 rules in it.                     |
\********************************************************************************************/
-- YARA SCANNER FROM ON-LINE YARA RULES GIT REPO
-- VARIABLE $$Search File Path$$  FILE PATH
-- VARIABLE $$Yara rule file name$$     STRING
WITH RECURSIVE 
-- Build a counter from 1 to 500
Counter(x) AS (VALUES (1) UNION ALL SELECT x+1 FROM Counter WHERE x < 500),

-- GET THE index of rules from the GIT REPO
Index_File(index_of_rules) AS ( 
   SELECT REPLACE(REPLACE(result,'include ".',''),'"','') 
   FROM curl 
   WHERE url = 'https://raw.githubusercontent.com/Yara-Rules/rules/master/index.yar'
   ),

-- Build a list of the yara rules files from the public git repo based on the current index of rules
Rule_Files(Yara_Rule_URL) AS ( 
   SELECT SPLIT(index_of_rules,CHAR(10),x) Yara_Rule_URL 
   FROM Index_file, Counter 
   WHERE Yara_Rule_URL LIKE '%$$Yara rule file name$$%'
   ),

-- Get the relevant YARA Signature Rules 
Signature_Rules(Yara_Rule_URL, Yara_Sig_Rule ) AS (
   SELECT Yara_Rule_URL, CAST('/*'||Yara_Rule_URL||'*/'||result AS TEXT) -- Insert the URL for the RULE into the Rule (HACK) We need it for the displayed results
   FROM Rule_Files 
   JOIN curl ON url = 'https://raw.githubusercontent.com/Yara-Rules/rules/master/'||Yara_Rule_URL
   )

SELECT 
   replace(replace(path, rtrim(path, replace(path, '/', '')), ''), rtrim(replace(path, rtrim(path, replace(path, '/', '')), ''), replace(replace(path, rtrim(path, replace(path, '/', '')), ''), '\', '')), '') File_Name, 
   matches, 
   count,
   path,
   replace(SPLIT(sigrule,'*\',1), rtrim(SPLIT(sigrule,'*\',1), replace(SPLIT(sigrule,'*\',1), '/', '')), '') YARA_File, 
   'https://raw.githubusercontent.com/Yara-Rules/rules/master/'||SPLIT(sigrule,'*\\',1) YARA_Rule_URL 
FROM yara WHERE Path LIKE '$$Search File Path$$' AND sigrule IN (SELECT Yara_Sig_Rule FROM Signature_Rules)
ORDER BY count DESC, matches ASC, YARA_File ASC, File_Name ASC

Parents Reply Children
No Data