Open YamatoSecurity opened 1 week ago
Update: The encrypted rules.zip
has been created through this issue: https://github.com/Yamato-Security/hayabusa-encrypted-rules/issues/1
So we can download the file from this URL: https://github.com/Yamato-Security/hayabusa-encrypted-rules/raw/main/rules.zip
In order to prevent Windows defender from alerting on false positives on yml rules and to minimize the amount of files we need to save to the system, I would like to have hayabusa load the rules from an encrypted zip file that will be hosted at https://github.com/Yamato-Security/hayabusa-encrypted-rules Note: we should wait for https://github.com/Yamato-Security/hayabusa-encrypted-rules/issues/1 to be implemented before implementing this issue.
To implement:
-e, --encrypted-rules Download encrypted rules
toGeneral Options
in theupdate-rules
command. This will delete all data inrules/*
and download therules.zip
file from thehayabusa-encrypted-rules
repository and save to therules
folder. (Note: I want to just download this specific file instead of git cloning the repository so we do not download unneeded files like the Readme, license, etc... The rules config files will also be in this file so Hayabusa should load the rules config file from the zip file. Since loading encrypted rules is mainly for using hayabusa when running on many PCs in a network, we do not need to worry about outputting the updated rules so we can skip the output of what rules were updated. We can just output the messageThe latest encrypted rules file was downloaded.
rules.zip
file in therules
directory. If there is, try to decrypt it with theyamato-security-hayabusa
password and load the rules config and yml rules files and use those for scanning.@hitenkoku Please tell me if this implementation sounds good or if you want to change something.