search

tenzir / public-roadmap

The public roadmap of Tenzir
https://docs.tenzir.com/roadmap
4 stars 0 forks source link

YARA Operator #111

Closed mavam closed 8 months ago

mavam commented 8 months ago

It would be great to have the ability to run YARA on byte streams with a yara operator. The C library libyara makes this a straight-forward integration.

### Definition of Done
- [x] Define the operator UX
- [x] Implement the operator
- [x] Write documentation and blog post
mavam commented 8 months ago

At hack.lu, we discussed the following use case:

  1. Extract files with Zeek or Suricata
  2. Watch the directory where the carved artifacts get written
  3. Launch a pipeline for every new file, along the lines of load file <path> | yara <rule-file or directory>.