Friday, October 26, 2018

Install and use YARA at Linux 

/*Install Yara*/
#apt-get update
#apt-get install yara
#which yara
/usr/bin/yara



/*Download Yara Rules*/
#cd /usr/local/sbin
#mkdir ./yararules
#cd yararules
#git clone https://github.com/Yara-Rules/rules.git
#ll /usr/local/sbin/yararules/rules



/*Execute Yara*/
#yara --help
YARA 3.8.1, the pattern matching swiss army knife.
Usage: yara [OPTION]... [NAMESPACE:]RULES_FILE... FILE | DIR | PID

Mandatory arguments to long options are mandatory for short options too.

       --atom-quality-table=FILE        path to a file with the atom quality table
  -c,  --count                          print only number of matches
  -d,  --define=VAR=VALUE               define external variable
       --fail-on-warnings               fail on warnings
  -f,  --fast-scan                      fast matching mode
  -h,  --help                           show this help and exit
  -i,  --identifier=IDENTIFIER          print only rules named IDENTIFIER
  -l,  --max-rules=NUMBER               abort scanning after matching a NUMBER of rules
       --max-strings-per-rule=NUMBER    set maximum number of strings per rule (default=10000)
  -x,  --module-data=MODULE=FILE        pass FILE's content as extra data to MODULE
  -n,  --negate                         print only not satisfied rules (negate)
  -w,  --no-warnings                    disable warnings
  -m,  --print-meta                     print metadata
  -D,  --print-module-data              print module data
  -e,  --print-namespace                print rules' namespace
  -S,  --print-stats                    print rules' statistics
  -s,  --print-strings                  print matching strings
  -L,  --print-string-length            print length of matched strings
  -g,  --print-tags                     print tags
  -r,  --recursive                      recursively search directories
  -k,  --stack-size=SLOTS               set maximum stack size (default=16384)
  -t,  --tag=TAG                        print only rules tagged as TAG
  -p,  --threads=NUMBER                 use the specified NUMBER of threads to scan a directory
  -a,  --timeout=SECONDS                abort scanning after the given number of SECONDS
  -v,  --version                        show version information

Send bug reports and suggestions to: vmalvarez@virustotal.com.
#yara -r -w -f -p 10 /usr/local/sbin/yararules/rules/index.yar /root 2>/dev/null
network_smtp_raw /root/test.pcap
Big_Numbers1 /root/test.pcap
sniff_lan /root/.config/wireshark/recent_common
with_sqlite /root/.local/share/evolution/addressbook/system/contacts.db
with_sqlite /root/.config/honeyd/names
Big_Numbers1 /root/md5_arpd.txt
vmdetect /root/.cache/gstreamer-1.0/registry.x86_64.bin
SurtrStrings /root/.cache/gstreamer-1.0/registry.x86_64.bin
Surtr /root/.cache/gstreamer-1.0/registry.x86_64.bin
with_sqlite /root/.cache/tracker/meta.db-wal
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)