Closed TheAwakener closed 2 months ago
ablescia
commented
2 months ago Dear @TheAwakener, the alert-via property doesn't support the systray value. Here the yaml schema declaration: https://github.com/rabbitstack/fibratus/blob/092923b7a06eeff8555f405b5a2299dcd482af90/pkg/config/schema_windows.go#L477
I will investigate about the fastscan property.
ablescia
commented
2 months ago Dear @TheAwakener there is an issue inside your yaml structure.
The fastscan property is a yara child object and not a rule child.
Below the correct tree:
# =============================== YARA =================================================
# Tweaks that influence the behaviour of the YARA scanner.
yara:
# Indicates if the YARA scanner is enabled. When enabled, each newly created process is scanned for pattern matches.
enabled: true
# Contains rule paths and rule definition information
rule:
# Represents the paths within the file system along with the YARA namespace identifier
paths:
- path: "C:\\rules\\"
namespace: "default"
# Represents the string with the rule definition along with the YARA namespace identifier
strings:
- string:
namespace:
# Indicates which sender is used to transport the alert generated by scanner
#alert-via: systray
# Specifies templates for the alert title and text in Go templating language (https://golang.org/pkg/text/template)
#alert-template:
# title:
# text:
# Determines when multiple matches of the same string can be avoided when not necessary
fastscan: true
# Specifies the timeout for the scanner. If the timeout is reached, the scan operation is cancelled
#scan-timeout: 20s
# Indicates whether file scanning is disabled. This affects the scan triggered by the image loading events.
#skip-files: true
# Contains the list of file names that shouldn't be scanned
#excluded-files:
# - kernel32.dll
# Contains the list of the process' image names that shouldn't be scanned
#excluded-procs:
# - System@rabbitstack I think the issue is here: https://github.com/rabbitstack/fibratus/blob/092923b7a06eeff8555f405b5a2299dcd482af90/configs/fibratus.yml#L590
rabbitstack
commented
2 months ago Thanks for jumping in @ablescia. Your reasoning is correct. The error is raised because of an unfortunate indentation mess-up in the YAML config file. alert-via and all subsequent attributes shouldn't be nested inside the rule attribute, but be at the same level. I'll fix this along with the alert-via enum in release 2.3.0
@TheAwakener FYI: We're planning to massively improve YARA scanning as described in #209
TheAwakener
commented
2 months ago @ablescia @rabbitstack thanks guys for your help
I'm testing this wonderful tool for Yara memory scanning, but I have had several issues trying to make it to work properly. For example, trying to enable fastscan or alert via systray results in the following error:
Error: invalid config: yara.rule: Must validate at least one schema (anyOf), yara.rule: Additional property alert-via is not allowed, yara.rule: Additional property fastscan is not allowedYara input is the public rules published by Elastic. You can find them here
Yara settings in the config file for Fibratus: