neo23x0 / yaranalyzer Goto Github PK

View Code? Open in Web Editor NEW

353.0 26.0 74.0 281 KB

Yara Rule Analyzer and Statistics

License: MIT License

Python 100.00%

yaranalyzer's Introduction

yarAnalyzer

Yara Rule Analyzer and Statistics

Description

yarAnalyzer creates statistics on a yara rule set and files in a sample directory. Place some signatures with .yar extension in the "signatures" folder and then run yarAnalyzer on a certain sample directory like:

yarAnalyzer.py -p /sample/path -s /signatures

It will generate two tables as command line output and two CSV files. (yaranalyzer_file_stats.csv, yaranalyzer_rule_stats.csv)

A new feature is the inventory creation.

yarAnalyzer.py --inventory -s /signatures

This will create a CSV file named yara-rule-inventory.csv (default, set with '-o') with information about the initialized rules. (Rule File;Rule Name;Description;Reference)

Screenshots

Rule Statistics

File Statistics

CSV Output in Excel

Usage

usage: yarAnalyzer.py [-h] [-p path] [-s sigpath] [-e ext] [-i identifier]
                      [-m max-size] [-l max-string] [-f first-bytes]
                      [-o output] [--excel] [--noempty] [--inventory]
                      [--printAll] [--debug]

yarAnalyzer - Yara Rules Statistics and Analysis

optional arguments:
  -h, --help      show this help message and exit
  -p path         Path to scan
  -s sigpath      Path to signature file(s)
  -e ext          signature extension
  -i identifier   Set an identifier - will be used in filename
                  identifier_rule_stats.csv and identifier_file_stats.csv
  -m max-size     Max file size in MB (default=10)
  -l max-string   Max filename/rulename string length in command line output
  -f first-bytes  Number of first bytes to show in output
  -o output       Inventory output
  --excel         Add extras to suppress automatic conversion in Microsoft
                  Excel
  --noempty       Don't show empty values
  --inventory     Create a YARA rule inventory only
  --printAll      Print all files that are scanned
  --debug         Debug output

DO NOT

install the outdated "yara" Python module via pip. Use "yara-python" instead or install it from the github repo: https://github.com/plusvic/yara-python

yaranalyzer's People

Contributors

Stargazers

Watchers

Forkers

mjruffin idiom pluckljn paran0ids0ul idkwim meteoradminz pombredanne security-geeks kakakacool caar2000 crazykid199 connlan pseudozidu redteamcaliber hxp2k6 upadmin urwithajit9 olivierh59500 null0x4d5a team-firebugs songofhack gjmf nunombarros shuixi2013 securityresearchstaff securitywarrior primmus tvendramel teme64 heikipikker tobey123 ahmedjouini ykankaya youngjun-chang vevenlcf beyondcy johnthecoder cryzlasm primekun bluemutedwisdom marciopocebon av-gantimurov ashr modulexcite blue-infosec ammasajan zzyyxxal i85yl64 gh0st0ne ekmixon radizzle ankurvaishley esorlov lunsovathana crackercat elijahahianyo shpakau root4rce devendrasuthar ruppde ndrtd mdomorffaruk yannisdevon dekiiikun

yaranalyzer's Issues

Error in Yara File.

I added a .yar to the signatures directory and performed a scan on a directory with confirmed/known matches. After execution I received the following:

[root@secured yarAnalyzer]# ./yarAnalyzer.py -p /home/secured/downloads/confirmedfiles/
[ERROR]: Error in Yara file: AllMWLocker.yar
[INFO]: Scanning /home/secured/downloads/confirmedfiles/ ...

I also performed the same scan with the --debug flag, however no other information was given as to what the issue/error with the yara file was. Verbose output as to the error would be great.

help.... rule iterable problem

please help.
I can't know what the problem is.

Error in Yara file

I directly downloaded THOR-Webshells from here (https://github.com/Yara-Rules/rules/blob/master/malware/THOR_Webshells.yar) to test and it gives me this error, but with no information as to what the error is.

sudo python yarAnalyzer.py -s current_signatures/ -p /mnt/lynx1_tmp/

[ERROR]: Error in Yara file: THOR_Webshells.yar
[INFO]: Scanning /mnt/dir/ ...

How might I find out what specifically is the error?

Getting Syntax error when running the file

I am getting this File "yarAnalyzer.py", line 89
print "FILE: %s" % ( filePath )
^
SyntaxError: invalid syntax

Is there a solution? Thank you

release tags

Hello could you please use release tags? I want to package your software for the Archlinux user repository: http://aur.archlinux.org

cheers

Chris

UnicodeDecodeError

Hello I have the following error while executing yarAnalyzer:

=======================================================================

  yarAnalyzer

  (c) Florian Roth
  June 2015
  Version 0.3.3

=======================================================================

[INFO]: Initialized Yara rules from thor-hacktools.yar
[INFO]: Scanning /home/user/malwaremustdie/ ...  
Traceback (most recent call last):
  File "yarAnalyzer.py", line 530, in <module>
    pretty_print(args.noempty, args.l)
  File "yarAnalyzer.py", line 370, in pretty_print
    print x #get_string(sortby="File")
  File "/usr/lib/python2.7/site-packages/prettytable.py", line 240, in __str__
    return self.__unicode__().encode(self.encoding)
  File "/usr/lib/python2.7/site-packages/prettytable.py", line 243, in __unicode__
    return self.get_string()
  File "/usr/lib/python2.7/site-packages/prettytable.py", line 987, in get_string
    formatted_rows = self._format_rows(rows, options)
  File "/usr/lib/python2.7/site-packages/prettytable.py", line 942, in _format_rows
    return [self._format_row(row, options) for row in rows]
  File "/usr/lib/python2.7/site-packages/prettytable.py", line 939, in _format_row
    return [self._format_value(field, value) for (field, value) in zip(self._field_names, row)]
  File "/usr/lib/python2.7/site-packages/prettytable.py", line 890, in _format_value
    return self._unicode(value)
  File "/usr/lib/python2.7/site-packages/prettytable.py", line 181, in _unicode
    value = unicode(value, self.encoding, "strict")
  File "/usr/lib/python2.7/encodings/utf_8.py", line 16, in decode
    return codecs.utf_8_decode(input, errors, True)
UnicodeDecodeError: 'utf8' codec can't decode bytes in position 28-29: unexpected end of data
python2 yarAnalyzer.py -p /home/user/malwaremustdie/  65.80s user 4.80s system 48% cpu 2:25.00 total

I am currently running a second process with --printAll so i can share the file with you.

EDIT: Ok It seems like I can't determine the file because it's only crashing at the end when yaranalyzer should normally print the result