Port malcontent to YARA-X

chainguard-dev / malcontent

#supply #chain #attack #detection

Apache License 2.0

456 stars 32 forks source link

Port malcontent to YARA-X #227

Open tstromberg opened 6 months ago

tstromberg commented 6 months ago

YARA now has official Go bindings:

https://virustotal.github.io/yara-x/blog/yara-is-dead-long-live-yara-x/

There are only 2-3 calls into the existing library we use - https://github.com/hillu/go-yara - but I'm sure the data structure it returns has some differences that will need to be resolved.

Here's where I would start making the change:

https://github.com/chainguard-dev/bincapz/blob/996ba4c2c19d42694937f9b50af3bbc74b2ca3af/pkg/compile/compile.go#L59

This function, which converts YARA results into an internal FileReport struct will also need changes:

https://github.com/chainguard-dev/bincapz/blob/996ba4c2c19d42694937f9b50af3bbc74b2ca3af/pkg/report/report.go#L275

egibs commented 6 months ago

Looks like this will be a pre-req for working with Yara-X.

I ran into issues running cargo install cargo-c on macOS and had to run:

cargo clean && PATH="/usr/bin:$PATH" cargo install cargo-c

to avoid using strip from Brew's binutils:

❯ which strip
/opt/homebrew/opt/binutils/bin/strip

tstromberg commented 6 months ago

Ouch. With this change, it sounds like we'd be taking on two large dependencies that we didn't have before. I think that we should save this change for a little while - at least until YARA-X is available in homebrew and the mainstream Linux distros.

Closing this for now - but I expect we'll likely resurrect it by the end of the year.

egibs commented 4 months ago

Found an example of Yara-X usage in Go: https://github.com/zz1gg/threatchecker/blob/main/utils/yara_x.go and used it as a reference for a very WIP feature branch.

There's a way to ignore modules when compiling rules but it doesn't seem like we get much control over warnings or errors like we do with the current package.

Aside from that, it looks like most everything else should be accessible except for Tags which don't seem to be a concept with Yara-X (at least as of version 0.5.0).

fproulx-boostsecurity commented 5 days ago

@tstromberg it's in homebrew now (https://github.com/Homebrew/homebrew-core/blob/HEAD/Formula/y/yara-x.rb)

tstromberg commented 5 days ago

That's great news! @egibs has also been working on upstream patches that should soon make it possible to port malcontent to YARA-X.

egibs commented 5 days ago

Yep -- there were two missing features that we rely on in go-yara:

exposing tags for a given rule (just recently added in https://github.com/VirusTotal/yara-x/commit/6e044b0b68e6a512fa80086c65a1e2a8fb4a27b0)
the strings for a given match (PR to add this is open)

Once those are officially released, we can start working on moving everything over*.

* Also, the yara-x C API is installed via cargo cinstall rather than what we're used to with Yara but it shouldn't be that much of a lift.