search

spyre-project / spyre

simple YARA-based IOC scanner
GNU Lesser General Public License v3.0
164 stars 27 forks source link

Scan Modules #73

Open MesserBart opened 3 years ago

MesserBart commented 3 years ago

Hi, as I'm trying to use spyre, I successfully installed all packages. On a Kali Linux, I'm trying to launch the spyre running file. As I don't know much about yara scanning modules, I copy/pasted the filescan.yar and procscan.yar files from spyre/scanner.yara. Then, launching the running program, here's the error that pops up : 2021/10/25 14:26:13 Error initializing YARA-file module: syntax error, unexpected identifier 2021/10/25 14:26:13 Error initializing YARA-proc module: syntax error, unexpected identifier

Would you mind providing me with help concerning this error ? If it wouldnt bother you, maybe having an example file of these .yara files, and kind of a userguide to know how and where to put these said-scanning modules. Thank you very much for your help and for providing such an interesting tool,

hillu commented 3 years ago

Sure. It looks like libyara is not able to parse your rule files. Can you provide the spyre.yaml and the YARA rule files you are using?

You may also be able to use the yara command line tool to get better diagnostics about the syntax errors in the rule files.

MesserBart commented 3 years ago

Hi, actually, I'm using the example-file spyre.yaml that was provided raw on the rep, I pasted it on the wanted _build, and I have really small clues on where to find/provide yara rules and files, and also where to actually put these files. It is actually my first time with yara modules.

hillu commented 3 years ago

Alright. I think we'll need to provide a self-contained example.

MesserBart commented 3 years ago

Thank you so much, would you mind upping this issue topic whenever an example is provided on the project source ? A kind of "default version" would really help ! Thanks again for your dedication

hillu commented 3 years ago

I have just pushed a change that contains some example config + ruleset. Would this have helped you enough if it had been there when you found Spyre? If you feel that there's room for improvement in the example, feel free to open a PR.

('m aware that configuration for custom modules is still missing, I'll need to look around for some indicators that demonstrate general usefulness.)

hillu commented 2 years ago

@MesserBart ping?