scan/yara endpoint only returns 403

[groldo]

Describe the bug Malpedia API-endpoint scan/yara seems to be broken as it returns only a 403 http error. Maybe the endpoint is TBD?

To Reproduce Run malpediaclient against scan/yara endpoint. with apitoken or credentials. Neither do work. Or Do get my script from here: https://gist.github.com/groldo/8b33123c44249f241304cb0387b21996 Create malpedia.yaml with

api_token: "<apitoken>"

And run the script.

Expected behavior Get a list of sha256 values for matching samples catched by the rule.

Desktop (please complete the following information):

• ubuntu
• Python 3.11.2
• pip freeze:

  certifi==2024.2.2
  charset-normalizer==3.3.2
  idna==3.6
  malpediaclient==0.2.0
  pyaml==23.12.0
  PyYAML==6.0.1
  requests==2.31.0
  urllib3==2.2.0

Additional context

Yara rule to be scanned:

rule DetectContactToSpecificIP {
    meta:
        description = "Detect files attempting to contact IP 134.23.9.7"
        author = "Your Name"
        date = "2024-02-01"
    strings:
        $ip_string = "134.23.9.7" ascii
    condition:
        $ip_string
}

Output from malpediaclient:

$ malpediaclient --credentials <username>:<password> scan-yara yara.rule 
[!] No configuration file found, requiring credentials/token from cmdline parameters if needed.
[+] Results: 

Traceback (most recent call last):
  File "./malpediaclient/.venv/bin/malpediaclient", line 33, in <module>
    sys.exit(load_entry_point('malpediaclient==0.2.0', 'console_scripts', 'malpediaclient')())
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "./malpediaclient/.venv/lib/python3.11/site-packages/malpediaclient-0.2.0-py3.11.egg/malpediaclient/cli.py", line 261, in main
  File "./malpediaclient/.venv/lib/python3.11/site-packages/malpediaclient-0.2.0-py3.11.egg/malpediaclient/cli.py", line 250, in <lambda>
  File "./malpediaclient/.venv/lib/python3.11/site-packages/malpediaclient-0.2.0-py3.11.egg/malpediaclient/Client.py", line 210, in scan_yara
  File "./malpediaclient/.venv/lib/python3.11/site-packages/malpediaclient-0.2.0-py3.11.egg/malpediaclient/Client.py", line 219, in __make_api_call
Exception: Not authorized. You need to be authenticated for this API call.

Neither do work for apitoken auth.

Output from script:

$ python yara_malpedia_test.py 
rule DetectContactToSpecificIP {
    meta:
        description = "Detect files attempting to contact IP 134.23.9.7"
        author = "Your Name"
        date = "2024-02-01"
    strings:
        $ip_string = "134.23.9.7" ascii
    condition:
        $ip_string
}

200 # api key check
403 Client Error: Forbidden for url: https://malpedia.caad.fkie.fraunhofer.de/api/scan/yara
403 Client Error: Forbidden for url: https://malpedia.caad.fkie.fraunhofer.de/api/scan/yara
exit

Some notes:

• The yara rule will most likely not catch anything as it was just intended to be a PoC for the endpoint.
• Credentials and apitoken do work for other endpoints

[danielplohmann]

Hey, thanks a lot for the report. We had to take out that API end point for now as it was occasionally seeing way more traffic than we were able to handle, which affected overall site performance. We plan to revive it in the future once we have dedicated for that. I'll keep the issue open for the time being as a reminder and hook for notification. :)