Open trufae opened 1 year ago
radare
commented
6 months ago This tool can be written in r2js, python or C, ideally it should just spawn r2 and do whatever its needed to generate the yara rules from the options given.
I would probably wait a little for more feedback and discussions to get this done.
seifreed
commented
1 month ago To start working on this, we can build a similar script like:
import os
import requests
import json
import shutil
# Load configuration from config.json
with open('config.json') as config_file:
config = json.load(config_file)
sources = config['sources']
radare_yara_dir = config['radare_yara_dir']
# Check if YARA rules directory exists, create if not
if not os.path.exists(radare_yara_dir):
os.makedirs(radare_yara_dir)
# Function to download YARA rules with optional API key support
def download_yara_rules(url, destination_dir, api_key=None):
headers = {}
if api_key:
headers['Authorization'] = f'Bearer {api_key}' # Adjust as per the API's requirements
try:
response = requests.get(url, stream=True, headers=headers)
if response.status_code == 200:
filename = os.path.join(destination_dir, url.split("/")[-1] + ".yara")
with open(filename, 'wb') as f:
shutil.copyfileobj(response.raw, f)
print(f"Downloaded {filename}")
else:
print(f"Failed to download from {url}, status code: {response.status_code}")
except Exception as e:
print(f"Error downloading from {url}: {str(e)}")
# Download rules from each source
for source in sources:
download_yara_rules(source, radare_yara_dir)
print("Download complete.")
The config file can be something like:
{
"sources": [
{
"name": "StefanKelm YARA Rules",
"url": "https://github.com/StefanKelm/yara-rules",
"requires_api_key": false
},
{
"name": "VirusTotal Crowdsourced YARA Rules",
"url": "https://www.virustotal.com/api/v3/rulesets",
"requires_api_key": true,
"api_key": "your_virustotal_api_key_here"
},
{
"name": "InQuest YARA Rules",
"url": "https://github.com/InQuest/awesome-yara",
"requires_api_key": false
},
{
"name": "Malpedia YARA Rules",
"url": "https://malpedia.caad.fkie.fraunhofer.de",
"requires_api_key": false
}
],
"radare_yara_dir": "/path/to/radare2/rules/"
}
The idea is to have a cli tool to download and manager your yara rule database in your home, all those rules are loaded by the yara plugin. We may have a yara rules-source database somewhere, and let the user download and update new ones for the purpose they need. This tool can be written in Python or the language of choice, as it may be probably running json+rest requests on endpoints to search and download those, and in some cases this requires api keys like for virustotal.
Some rule databases around: