Closed egibs closed 2 months ago
@egibs would you mind rebasing and ping me so we can get this merged.
@vaikas done!
Amazing! Thank you so much @.****!!!!! ❤️
On Tue, Apr 30, 2024 at 12:28 PM mthcht @.***> wrote:
@.**** commented on this pull request.
In Makefile https://github.com/chainguard-dev/bincapz/pull/160#discussion_r1585425668 :
@@ -56,3 +56,7 @@ update-yaraforge: mkdir -p out curl -sL -o out/yaraforge.zip https://github.com/YARAHQ/yara-forge/releases/latest/download/yara-forge-rules-full.zip unzip -o -j out/yaraforge.zip packages/full/yara-rules-full.yar -d rules/third_party/ + +.PHONY: update-threathunting-keywords +update-threathunting-keywords:
Hello @egibs https://github.com/egibs @vaikas https://github.com/vaikas FYI i put the first release here https://github.com/mthcht/ThreatHunting-Keywords/releases, it will be updated every month or every two months with more details in the next releases
— Reply to this email directly, view it on GitHub https://github.com/chainguard-dev/bincapz/pull/160#discussion_r1585425668, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACWB45FVZCAOFQZYTUV6IY3Y77WHHAVCNFSM6AAAAABGV3KMA2VHI2DSMVQWIX3LMV43YUDVNRWFEZLROVSXG5CSMV3GSZLXHMZDAMZSGM2TMOBSHE . You are receiving this because you were mentioned.Message ID: @.***>
Amazing! Thank you so much @.**!!!!! ❤️ … On Tue, Apr 30, 2024 at 12:28 PM mthcht **@.> wrote: @*.*** commented on this pull request. ------------------------------ In Makefile <#160 (comment)> : > @@ -56,3 +56,7 @@ update-yaraforge: mkdir -p out curl -sL -o out/yaraforge.zip https://github.com/YARAHQ/yara-forge/releases/latest/download/yara-forge-rules-full.zip unzip -o -j out/yaraforge.zip packages/full/yara-rules-full.yar -d rules/third_party/ + +.PHONY: update-threathunting-keywords +update-threathunting-keywords: Hello @egibs https://github.com/egibs @vaikas https://github.com/vaikas FYI i put the first release here https://github.com/mthcht/ThreatHunting-Keywords/releases, it will be updated every month or every two months with more details in the next releases — Reply to this email directly, view it on GitHub <#160 (comment)>, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACWB45FVZCAOFQZYTUV6IY3Y77WHHAVCNFSM6AAAAABGV3KMA2VHI2DSMVQWIX3LMV43YUDVNRWFEZLROVSXG5CSMV3GSZLXHMZDAMZSGM2TMOBSHE . You are receiving this because you were mentioned.Message ID: @.>
np :) the correct page for the yara project https://github.com/mthcht/ThreatHunting-Keywords-yara-rules/releases
Closes: https://github.com/chainguard-dev/bincapz/issues/61
This PR adds the YARA rules from https://github.com/mthcht/ThreatHunting-Keywords-yara-rules and adds an additional
RuleProject
field to better attribute third-party rules.The major caveat with these rules is that they trigger macOS' malware protections which
sudo xattr -d ...
, andsudo spctl --master-disable
cannot bypass. I did testcsrutil disable
but that is neither a solution nor advisable.Once the image is updated with these changes, it should be trivial for macOS users to run the containerized version of
bincapz
if--third-party
rules are needed. Related to this, I set--third-party
tofalse
by default so that macOS users aren't hit with thewill damage your computer
prompt.Example output:
JSON with additional details: