pielco11
commented
6 years ago os.listdir(path) accepts path as path and not a file. So, if I'm understanding in the right way, you should specify the path that contains rules. If you want to use a specific rule you may do a couple of things:
- make a new dir that contains only that file
- edit the code to let it recognize that the arg is a file and not a path and use only that rule
I pushed this change to my repo, hope will help in the right way.
Evan-Sa
omething seems to be off with the yara rule detection this appears to be an issue with the rules being compiled. Take a look at the output below the yara successfuly hit when just run from yara but ssma did not detect it despite it being present in the rules folder see output below
remnux@siftworkstation:~/Desktop/SSMA$ yara '/home/remnux/RE-tools/SSMA/rules/Malicious_Documents/Maldoc_VBA_macro_code.yar' '/home/remnux/malware-samples/Macro-Ransomeware/maldoc.doc' Contains_VBA_macro_code /home/remnux/malware-samples/Macro-Ransomeware/maldoc.doc
remnux@siftworkstation:~/Desktop/SSMA$ ./ssma.py -d /home/remnux/malware-samples/Macro-Ransomeware/maldoc.doc
███████╗███████╗███╗ ███╗ █████╗ ██╔════╝██╔════╝████╗ ████║██╔══██╗ Simple ███████╗███████╗██╔████╔██║███████║ Static ╚════██║╚════██║██║╚██╔╝██║██╔══██║ Malware ███████║███████║██║ ╚═╝ ██║██║ ██║ Analyzer ╚══════╝╚══════╝╚═╝ ╚═╝╚═╝ ╚═╝
File Details: File: /home/remnux/malware-samples/Macro-Ransomeware/maldoc.doc Size: 553984 bytes Type: application/msword MD5: 1400dc28f32d901a3b26a61c3956dfac SHA1: 021276d1f2fb48b762738a132e9f83cdc52f48a2
================================================================================ Scan file using Yara-rules. With Yara rules you can create a "description" of malware families to detect new samples. For more information: https://virustotal.github.io/yara/
================================================================================ remnux@siftworkstation:~/Desktop/SSMA$
The yara flag also no longer appears to be working either but since yara scanning happens whenever you run ssma it might not be necessary anymore and these might be two unrelated issues
remnux@siftworkstation:~/Desktop/SSMA$ ./ssma.py -d --yara '/home/remnux/RE-tools/SSMA/rules/Malicious_Documents/Maldoc_VBA_macro_code.yar' '/home/remnux/malware-samples/Macro-Ransomeware/maldoc.doc'
███████╗███████╗███╗ ███╗ █████╗ ██╔════╝██╔════╝████╗ ████║██╔══██╗ Simple ███████╗███████╗██╔████╔██║███████║ Static ╚════██║╚════██║██║╚██╔╝██║██╔══██║ Malware ███████║███████║██║ ╚═╝ ██║██║ ██║ Analyzer ╚══════╝╚══════╝╚═╝ ╚═╝╚═╝ ╚═╝
File Details: File: /home/remnux/malware-samples/Macro-Ransomeware/maldoc.doc Size: 553984 bytes Type: application/msword MD5: 1400dc28f32d901a3b26a61c3956dfac SHA1: 021276d1f2fb48b762738a132e9f83cdc52f48a2
================================================================================ Scan file using Yara-rules. With Yara rules you can create a "description" of malware families to detect new samples. For more information: https://virustotal.github.io/yara/
Traceback (most recent call last): File "./ssma.py", line 669, in
your_target = is_your_target(args.filename, yara)
File "/home/remnux/Desktop/SSMA/src/check.py", line 75, in is_your_target
for n in os.listdir(yara_file):
NotADirectoryError: [Errno 20] Not a directory: '/home/remnux/RE-tools/SSMA/rules/Malicious_Documents/Maldoc_VBA_macro_code.yar'