Question - Yara Scanning Referencing Yara Rule File

417 views
Skip to first unread message

Ryan Lovergine

unread,
Feb 4, 2021, 9:29:32 PM2/4/21
to velociraptor-discuss
I'm trying to run a Yara Scan to scan the filesystem for malicious files. I have a Yara Rule file that I'm trying to reference however I have not been able to figure out which Artifact supports referencing the Yara Rule File. The only artifact that I've seen that allows me to point to the .YAR file that I've uploaded to the  public URL is the RemoteYara.Process scan.

Mike Cohen

unread,
Feb 4, 2021, 9:34:55 PM2/4/21
to Ryan Lovergine, velociraptor-discuss
Hi Ryan,
   If your ruleset is smallish you can just paste it into the GUI with the Windows.Search.FileFinder artifact (There are similar FileFinder artifacts for other OSs). 

If your rule is really large then you can upload it as a tool to the Windows.Search.Yara artifact - this will push the rule file to the endpoint in an efficient way (and also cache it on there so it can be scanned multiple times).

Also you can use https://github.com/Velocidex/yara-tools to clean up most yara rules to cut down their size (remove metadata and other cruft).

Thanks
Mike


Mike Cohen 
Digital Paleontologist, 
Velocidex Enterprises
M  ‭+61 470 238 491‬ 
mi...@velocidex.com 


On Fri, Feb 5, 2021 at 12:29 PM Ryan Lovergine <rj.lov...@gmail.com> wrote:
I'm trying to run a Yara Scan to scan the filesystem for malicious files. I have a Yara Rule file that I'm trying to reference however I have not been able to figure out which Artifact supports referencing the Yara Rule File. The only artifact that I've seen that allows me to point to the .YAR file that I've uploaded to the  public URL is the RemoteYara.Process scan.

--
You received this message because you are subscribed to the Google Groups "velociraptor-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to velociraptor-dis...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/velociraptor-discuss/fc2539b1-ef24-40d6-9788-34fbfba11244n%40googlegroups.com.

Ryan Lovergine

unread,
Feb 4, 2021, 9:38:02 PM2/4/21
to velociraptor-discuss

I should also specify that the YAR rules I’m using calls to import PE, HASH, MATCH and TIME. When using the ‘Windows.Search.Yara’ with this ruleset, I get the following error: Failed to initialize YARA compiler: Invalid field name “signatures”

 

Thanks,

Ryan

--

Mike Cohen

unread,
Feb 4, 2021, 9:40:28 PM2/4/21
to Ryan Lovergine, velociraptor-discuss
Yeah we dont build yara with signature support because that pulls in the entire openssl dependency. If you need to verify signatures you can use the authenticode() VQL function.

Not sure about hash support (use VQL hash() instead) - again it might need openssl too but pe support should work fine.

Thanks
Mike


Mike Cohen 
Digital Paleontologist, 
Velocidex Enterprises
M  ‭+61 470 238 491‬ 
mi...@velocidex.com 

To view this discussion on the web visit https://groups.google.com/d/msgid/velociraptor-discuss/293066DD-9CDD-4974-94FF-0DE4DEA1FCCB%40hxcore.ol.
Reply all
Reply to author
Forward
0 new messages