Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add r2yara cli tool #2

Open
trufae opened this issue Oct 6, 2023 · 2 comments
Open

Add r2yara cli tool #2

trufae opened this issue Oct 6, 2023 · 2 comments

Comments

@trufae
Copy link
Contributor

trufae commented Oct 6, 2023
edited
Loading

The idea is to have a cli tool to download and manager your yara rule database in your home, all those rules are loaded by the yara plugin. We may have a yara rules-source database somewhere, and let the user download and update new ones for the purpose they need. This tool can be written in Python or the language of choice, as it may be probably running json+rest requests on endpoints to search and download those, and in some cases this requires api keys like for virustotal.

Some rule databases around:
@radare
Copy link
Contributor

radare commented May 7, 2024

This tool can be written in r2js, python or C, ideally it should just spawn r2 and do whatever its needed to generate the yara rules from the options given.

I would probably wait a little for more feedback and discussions to get this done.

@seifreed
Copy link
Contributor

To start working on this, we can build a similar script like:

import os
import requests
import json
import shutil

# Load configuration from config.json
with open('config.json') as config_file:
    config = json.load(config_file)

sources = config['sources']
radare_yara_dir = config['radare_yara_dir']

# Check if YARA rules directory exists, create if not
if not os.path.exists(radare_yara_dir):
    os.makedirs(radare_yara_dir)

# Function to download YARA rules with optional API key support
def download_yara_rules(url, destination_dir, api_key=None):
    headers = {}
    if api_key:
        headers['Authorization'] = f'Bearer {api_key}'  # Adjust as per the API's requirements

    try:
        response = requests.get(url, stream=True, headers=headers)
        if response.status_code == 200:
            filename = os.path.join(destination_dir, url.split("/")[-1] + ".yara")
            with open(filename, 'wb') as f:
                shutil.copyfileobj(response.raw, f)
            print(f"Downloaded {filename}")
        else:
            print(f"Failed to download from {url}, status code: {response.status_code}")
    except Exception as e:
        print(f"Error downloading from {url}: {str(e)}")

# Download rules from each source
for source in sources:
    download_yara_rules(source, radare_yara_dir)

print("Download complete.")

The config file can be something like:

{
  "sources": [
    {
      "name": "StefanKelm YARA Rules",
      "url": "https://github.com/StefanKelm/yara-rules",
      "requires_api_key": false
    },
    {
      "name": "VirusTotal Crowdsourced YARA Rules",
      "url": "https://www.virustotal.com/api/v3/rulesets",
      "requires_api_key": true,
      "api_key": "your_virustotal_api_key_here"
    },
    {
      "name": "InQuest YARA Rules",
      "url": "https://github.com/InQuest/awesome-yara",
      "requires_api_key": false
    },
    {
      "name": "Malpedia YARA Rules",
      "url": "https://malpedia.caad.fkie.fraunhofer.de",
      "requires_api_key": false
    }
  ],
  "radare_yara_dir": "/path/to/radare2/rules/"
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@radare @seifreed @trufae