Thread Info
  • State Verified Answer
  • Replies 1 reply
  • Subscribers 6 subscribers
  • Views 14270 views
  • Users 0 members are here
Options
Suggested

YARA Scanner

Karl_Ackerman

This takes the liklely name of the YARA rule you want to run and search to see if it can find that rule or set of rules and runs a YARA scan on the specified path.

Works on LINUX MAC and WINDOWS

/********************************************************************************************\
| We will refrence the public GIT Repo for Yara rules at https://github.com/Yara-Rules/rules |
| The GIT repo is activily being updated and we want access to current published rules so    |
| we will first get the index of rules and see which of those match our desired rule name    |
| With the list of yara files that match what we are looking for we will then pull the       |
| signature rule for each of them and execute a YARA search for each rule in the target file |
| path selected by the admin. The current repo has only 480 rules in it.                     |
\********************************************************************************************/
-- YARA SCANNER FROM ON-LINE YARA RULES GIT REPO
-- VARIABLE $$Search File Path$$  FILE PATH
-- VARIABLE $$Yara rule file name$$     STRING
WITH RECURSIVE 
-- Build a counter from 1 to 500
Counter(x) AS (VALUES (1) UNION ALL SELECT x+1 FROM Counter WHERE x < 500),

-- GET THE index of rules from the GIT REPO
Index_File(index_of_rules) AS ( 
   SELECT REPLACE(REPLACE(result,'include ".',''),'"','') 
   FROM curl 
   WHERE url = 'https://raw.githubusercontent.com/Yara-Rules/rules/master/index.yar'
   ),

-- Build a list of the yara rules files from the public git repo based on the current index of rules
Rule_Files(Yara_Rule_URL) AS ( 
   SELECT SPLIT(index_of_rules,CHAR(10),x) Yara_Rule_URL 
   FROM Index_file, Counter 
   WHERE Yara_Rule_URL LIKE '%$$Yara rule file name$$%'
   ),

-- Get the relevant YARA Signature Rules 
Signature_Rules(Yara_Rule_URL, Yara_Sig_Rule ) AS (
   SELECT Yara_Rule_URL, CAST('/*'||Yara_Rule_URL||'*/'||result AS TEXT) -- Insert the URL for the RULE into the Rule (HACK) We need it for the displayed results
   FROM Rule_Files 
   JOIN curl ON url = 'https://raw.githubusercontent.com/Yara-Rules/rules/master/'||Yara_Rule_URL
   )

SELECT 
   replace(replace(path, rtrim(path, replace(path, '/', '')), ''), rtrim(replace(path, rtrim(path, replace(path, '/', '')), ''), replace(replace(path, rtrim(path, replace(path, '/', '')), ''), '\', '')), '') File_Name, 
   matches, 
   count,
   path,
   replace(SPLIT(sigrule,'*\',1), rtrim(SPLIT(sigrule,'*\',1), replace(SPLIT(sigrule,'*\',1), '/', '')), '') YARA_File, 
   'https://raw.githubusercontent.com/Yara-Rules/rules/master/'||SPLIT(sigrule,'*\\',1) YARA_Rule_URL 
FROM yara WHERE Path LIKE '$$Search File Path$$' AND sigrule IN (SELECT Yara_Sig_Rule FROM Signature_Rules)
ORDER BY count DESC, matches ASC, YARA_File ASC, File_Name ASC

Parents Reply Children
No Data
Unfiltered HTML