skip to navigation
skip to content

yaraprocessor 1.1.0

Scan data streams with Yara using various algorithms.

YARA is an awesome tool. It’s aimed at helping malware researchers to identify and classify malware samples. With YARA you can create descriptions of malware families based on textual or binary patterns contained on samples of those families.

However, sometimes the data you are analyzing needs some manipulation in order to achieve the best results. Yaraprocessor allows you to scan data streams in few unique ways. It supports scanning data streams in discrete chunks, or buffers. These chunks can overlap or be completely disjoint depending on the ‘processing_mode’ selected.

Yaraprocessor was originally written for Chopshop. Combined with Chopshop, it allows for dynamic scanning of payloads plucked from network packet capture. Historically, signature based tools operate over the entire PCAP file. With Chopshop and Yaraprocessor, YARA can be ran against individual packet payloads as well as a concatenation of some or all of the payloads. Ideally, this makes writing signatures easier. Check out the Chopshop module yarashop to see it in action!

Installation

Simply clone the repository via git:

$ git clone https://github.com/MITRECND/yaraprocessor.git

Or download the latest release from our github page.

Once you have the code, run the following command inside the Yaraprocessor directory:

$ python setup.py install

Using it!

While yaraprocessor was built for use with Chopshop, it aims for simple and straightforward usage and integration with other tools. Simply import yaraprocessor, instantiate a “Processor” object, and start analyzing data.

from yaraprocessor import Processor

# Yara rules are passed as a list of filenames
p = Processor(['/full/path/to/rules, relative/path/to/other/rules'])

# By default, the processor will operate in 'raw' mode, meaning it
# will scan whatever data you give it. Note that in 'raw' mode, you
# are required to call 'analyze', which will return yara matches if
# found.
p.data = data
results = p.analyze()

# 'analyze' returns yara matches and also stores them in 'p.results'
# for convenient access.
if p.results:
    for match in p.results:
        print match

# When operating in other processing modes, data will be continuously
# buffered and automatically processed when the buffer fills. In these
# modes, you don't have to ever call 'p.analyze'; instead simply check
# for results.

if p.results:
    for match in p.results:
        print match

Contributing

We love to hear from people using our tools and code. Feel free to discuss issues on our issue tracker and make pull requests!

 
File Type Py Version Uploaded on Size
yaraprocessor-1.1.0-py2-none-any.whl (md5) Python Wheel py2 2016-01-14 10KB
yaraprocessor-1.1.0.tar.gz (md5) Source 2016-01-14 6KB
  • Author: Stephen DiCato
  • Home Page: https://github.com/MITRECND/yaraprocessor
  • License:
    Copyright (c) 2013 The MITRE Corporation. All rights reserved.
    
    Redistribution and use in source and binary forms, with or without
    modification, are permitted provided that the following conditions
    are met:
    1. Redistributions of source code must retain the above copyright
       notice, this list of conditions and the following disclaimer.
    2. Redistributions in binary form must reproduce the above copyright
       notice, this list of conditions and the following disclaimer in the
       documentation and/or other materials provided with the distribution.
    
    THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
    ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
    IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
    ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
    FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
    DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
    OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
    HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
    LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
    OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
    SUCH DAMAGE.
  • Categories
  • Package Index Owner: gback
  • DOAP record: yaraprocessor-1.1.0.xml