Use case: monitor for specific hashes

[krmaxwell]

A user recently mentioned an interesting use case to me, where they use Maltrieve to monitor for appearance of specific new hashes. They throw everything else away.

We could support this, though I'd probably use a dedicated file (one line per hash) for that.

[sroberts]

@technoskald That's exactly what I hacked together, but I think I can do something better. The other idea, though this gets complex, would be to add the ability to monitor for a specific yara rule hitting.

[GelosSnake]

I started to work on categorizer by yara rules before sending to viper (add auto tags). Maybe add an option/module for yara scan and than put some kind of "monitor" behavior?

(-y ) will scan from index of yara rules -mH (monitor for list of hashes) -mY (monitor from list of yara rules)

just an idea.

[krmaxwell]

@sroberts I just didn't want to out you as the user in question, but now I will!

I am interested in developing this idea further, although YARA support could be a significant chunk to bite off.

[sroberts]

Ehh I might be willing to help with that.... now that I'm outed.

[krmaxwell]

I look forward to pull requests. :trollface:

[krmaxwell]

We could implement a hash filter (whitelist), but I don't think Maltrieve should support YARA directly. You can already accomplish that by integrating Maltrieve with some other analysis tool, like Viper or CRITs.