Closed dmelcher5151 closed 7 years ago
dmelcher5151
commented
7 years ago I should add that these notions are from a previous project that never got worked and might conflict a bit with the way you've already done rule searching and rule editing. Perhaps those rich features already built can and should tie into this view. Thanks again
Taskr
commented
7 years ago Hi @dmelcher5151. Thank you for the suggestions. Unfortunately, as you pointed out in your second comment, much of the functionality you suggested would conflict with how Yara Guardian currently operates.
Additionally, due to the project being a web-based manager, the file system manipulations you discussed would likely not scale or function properly in Yara Guardian's current configuration.
For the time being, we will archive this issue. If Yara Guardian restructures in a way that can support this type of feature enhancement, it will be reopened.
Hello folks, thanks for the project. I noticed an enhancement request for Yara Testing (ie scanning) and would like to add some requests/suggestions on top of that around how the file scan tab might look and function which I think could be particularly useful.
First there could be a simple file system browser, with nested folder expansion, to navigate files to scan. Another file system browser that shows the structured Yara rule collection. Another area would have a text editor for live Yara rule modification, which could save or discard changes, etc. A last area could show the hit locations, string matches, debug info, etc, after a scan.
The Yara rules could be selected/deselected or marked for negative (to filter results) on scans against the scan file browser chosen directories or files. The results could be reflected in the file system browser frame via highlighting and filtering, along with the detailed scan result area.
For example, if there are 1000 files in the scan file browser and simple “PDF” and “OFFICE” yara sigs are selected in the rule browser, then only those files with matches would appear in the file browser. Ie, all JPEGS or JARS or whatever else would be grey or gone. If then an “RTF” signature is marked negative then the OFFICE files that are actually RTF would go away as well. If the RTF rule is then modified in the editor frame to account for some files that were missed, perhaps some syntax validation and color coding would be helpful.
The file system browser areas could allow for file system manipulations. For example, now that we have PDF and OFFICE files without RTFs identified via scan, the user could copy the identified files to a new directory, maybe even zip them up, open in notepad, or whatever. Likewise with the particular Yara rules.
Thanks for your consideration.