YARA Hunting with S3 distributed backend

CERT-Polska / mwdb-core

Malware repository component for samples & static configuration with REST API interface.

https://mwdb.readthedocs.io/

Other

328 stars 74 forks source link

YARA Hunting with S3 distributed backend #559

Open sustefil opened 2 years ago

sustefil commented 2 years ago

Feature Category

[ ] Correctness
[ ] User Interface / User Experience
[ ] Performance
[x] Other (please explain)

Describe the problem

Hi there, I am quite new to the MWDB project, I was wondering if there is a possibility of doing a YARA (retro)hunt with the distributed S3 storage. I have come over a tweet where you have that feature for the mwdb.cert.pl:

https://twitter.com/CERT_Polska_en/status/1270763534067150848

Few question: 1) Do you consider releasing this feature to the public? 2) Does this work with the S3 distributed storage backend? 3) If not, do you have any other suggestion/idea how to perform YARA hunts when using the S3 distributed storage?

Thank you in advance!

ITAYC0HEN commented 2 years ago

[not a CERTPL member] Hey! :) MQuery can work on top of S3 so you can easily set up MQuery and retro hunt on your MWDB S3-hosted files. We do this @ Check Point and it works great

c3rb3ru5d3d53c commented 2 years ago

I've figured out how to do this, you can DM me on twitter :)

psrok1 commented 2 years ago

Hi! Currently mquery is integrated with mwdb.cert.pl via plugin that needs to be set up on both sides. We definitely plan to publish it and it's already shared with some people, but I want to improve it a bit before we make it public.

I'll notify you in this thread when we make any progress on that.

sustefil commented 2 years ago

@psrok1 Thank you! I will patiently wait for this nice feature to come :)

lazydaemon commented 2 years ago

[not a CERTPL member] Hey! :) MQuery can work on top of S3 so you can easily set up MQuery and retro hunt on your MWDB S3-hosted files. We do this @ Check Point and it works great

How is the performance and how many samples do you check?

jeremyng123 commented 8 months ago

Hi! Currently mquery is integrated with mwdb.cert.pl via plugin that needs to be set up on both sides. We definitely plan to publish it and it's already shared with some people, but I want to improve it a bit before we make it public.

I'll notify you in this thread when we make any progress on that.

Hello!! are there any updates on the plugins? I tried searching but couldn't find it. :)