Is it possible to filter by payload?

CERT-Polska / karton-yaramatcher

File and analysis artifacts yara matcher for Karton framework

https://github.com/CERT-Polska/karton

BSD 3-Clause "New" or "Revised" License

5 stars 9 forks source link

Is it possible to filter by payload? #15

Open rakovskij-stanislav opened 3 years ago

rakovskij-stanislav commented 3 years ago

I would like to create a service that will trigger only on certain files by yara rule (for examples, on UPX-ed or FSG-ed), is there any way to do it or for this I should add a possibility to add certain rule names to headers, not payload?

nazywam commented 3 years ago

We'd probably want to solve this with https://github.com/CERT-Polska/karton-classifier/issues/27. This way you'll be able to put your yara rules in the classifier directory and it'll automatically spawn new tasks with matched yara rules

rakovskij-stanislav commented 3 years ago

I don't think so. The task of yara-classifier is to detect file format, not obfuscation / programming language / file artifacts.

Just for example: I saw pretty good rule on meterpreters / generic linux shells in malpedia / other rule reps - and want to proceed the to C2 hostname:port extractor module - so this way I want to trigger on certain rule names. For now I add new values to task header: { "yara:"+rulename: True} to use this kind of functionality.