new: [YARA] Integration of YARA. Closes #1.

cedricbonhomme · Oct 6, 2023 · e12f54e · e12f54e
1 parent d8f6107
commit e12f54e
Show file tree

Hide file tree

Showing 7 changed files with 70 additions and 7 deletions.
diff --git a/README.md b/README.md
@@ -25,7 +25,8 @@ It is recommended to use Python >= 3.11.
   a daemon);
 * verify files with [Hashlookup](https://github.com/hashlookup),
   [Pandora](https://github.com/pandora-analysis),
-  and [MISP](https://github.com/MISP).
+  [MISP](https://github.com/MISP) and
+  [YARA](https://github.com/virustotal/yara).
 
 
 ### Installation
@@ -105,15 +106,13 @@ $ tail log
 
 ### Other features
 
-Check for known malicious files with
-[Hashlookup](https://github.com/hashlookup),
-[Pandora](https://github.com/pandora-analysis) or
-[MISP](https://github.com/MISP).
+Check for known malicious files with Hashlookup, Pandora, MISP or YARA.
 
 ```bash
 $ pyhids hashlookup
 $ pyhids pandora
 $ pyhids misp
+$ pyhids yara
 ```
 
 

diff --git a/bin/main.py b/bin/main.py
@@ -8,6 +8,7 @@
 from pyhids.misp import main as misp
 from pyhids.pandora import main as pandora
 from pyhids.pyHIDS import main as run
+from pyhids.yara_ext import main as yara
 
 
 def main():
@@ -69,6 +70,9 @@ def main():
         "misp", help="Uses MISP in order to verify the hashes of the files."
     )
 
+    # Subparser: Yara
+    subparsers.add_parser("yara", help="Uses Yara in order to verify the files.")
+
     arguments = parser.parse_args()
 
     if arguments.command == "gen-keys":
@@ -83,6 +87,8 @@ def main():
         pandora()
     elif arguments.command == "misp":
         misp()
+    elif arguments.command == "yara":
+        yara()
     else:
         return "Unknown sub-command."
 

diff --git a/conf.cfg-sample b/conf.cfg-sample
@@ -7,6 +7,8 @@ password = <password>
 [misp]
 root_url = https://misppriv.circl.lu/
 key = <key>
+[yara]
+rules = yara_rules/rules.yara
 [irc]
 enabled = 0
 channel = irc://irc.libera.chat/#testpyHIDS

diff --git a/conf.py b/conf.py
@@ -60,6 +60,8 @@
 MISP_URL = config.get("misp", "root_url")
 MISP_KEY = config.get("misp", "key")
 
+YARA_RULES = config.get("yara", "rules")
+
 # address of the log file :
 LOGS = os.path.join(PATH, "log")
 # address of the database of hash values :

diff --git a/poetry.lock b/poetry.lock
diff --git a/pyhids/yara_ext.py b/pyhids/yara_ext.py
@@ -0,0 +1,33 @@
+#! /usr/bin/env python
+
+import pprint
+
+import yara
+
+import conf
+from pyhids import utils
+
+
+def main():
+    pp = pprint.PrettyPrinter(indent=4)
+    try:
+        rules = yara.compile(conf.YARA_RULES)
+    except Exception as e:
+        print("Problem when compiling the YARA rules.")
+        print(e)
+        exit(1)
+    result = {}
+    base = utils.load_base()
+    for (path, _sha1) in list(base["files"].items()):
+        try:
+            matches = rules.match(path, timeout=60)
+        except Exception:
+            continue
+        if matches:
+            result[path] = matches
+    if result:
+        pp.pprint(result)
+
+
+if __name__ == "__main__":
+    main()
diff --git a/pyproject.toml b/pyproject.toml
@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "pyHIDS"
-version = "0.7.1"
+version = "0.8.0"
 description = "A host-based intrusion detection system."
 authors = ["Cédric Bonhomme <[email protected]>"]
 license = "GPL-3.0-or-later"
@@ -39,6 +39,7 @@ rsa = "^4.9"
 pyhashlookup = "^1.2.1"
 pypandora = "^1.5.0"
 pymisp = "^2.4.176"
+yara-python = "^4.3.1"
 
 [tool.poetry.group.dev.dependencies]
 flake8 = "^6.0.0"