Yara 실습

Yara 실습

https://dukup11ch1.tistory.com/45?category=780156
http://hellowuniverse.com/2017/03/07/about-yara-%EC%96%B4%EB%A0%B5%EC%A7%80-%EC%95%8A%EC%95%84%EC%9A%94/
history



yara64.exe "rule basic1.yar" C:\Users\user\Downloads -r -s
doskey /h
yara64.exe "rule basic2.yar" C:\Users\user\Downloads -r -s
yara64.exe "rule basic1.yar" C:\Users\user\Downloads -r -s
yara64.exe "rule basic1.yar" C:\Users\user\Downloads -r -s | more
python
yara64.exe "rule example.yar" C:\Users\ -r
yara64.exe "rule example.yar" C:\Users\ -r -s
doskey /h
yara64.exe -h
dir
yara64.exe dummy.yar.txt
yara64.exe dummy.yar
dir
rm dummy.yar.txt
yara64.exe dummy.yar
yara64.exe -v
yara64.exe -h
yara64.exe -C dummy.yar
yara64.exe -m dummy.yar
yara64.exe dummy.yar
yara64.exe -d dummy.yar
yara64.exe -f
yara64.exe dummy.yar -r
yara64.exe dummy.yar C: -r
yara64.exe dummy.yar C:
yara64.exe dummy.yar C: -r
yara64.exe "rule basic.yar" C:\Users\user\Downloads -r
yara64.exe "rule basic1.yar" C:\Users\user\Downloads -r
yara64.exe "rule basic1.yar" C:\Users\user\Downloads -r | sort
yara64.exe "rule basic1.yar" C:\Users\user\Downloads -r | wc -l
yara64.exe "rule basic1.yar" C:\Users\user\Downloads -r
yara64.exe "rule basic1.yar" C:\Users\user\Downloads -r | -a
yara64.exe "rule basic1.yar" C:\Users\user\Downloads -r
yara64.exe "rule basic1.yar" C:\Users\user\Downloads -r | findstr basic
yara64.exe "rule basic1.yar" C:\Users\user\Downloads -r | find /c "basic"
yara64.exe "rule basic.yar" C:\Users\user\Downloads -r | find /c "basic"
yara64.exe "rule basic.yar" C:\Users\user\Documents -r
yara64.exe "rule basic.yar" C:\Users\user -r | find /c "basic"
yara64.exe "rule basic.yar" C:\Users\user\Desktop -r | find /c "basic"
yara64.exe "rule basic.yar" C:\Users\user\Desktop -r
yara64.exe "rule basic.yar" C:\Users\user\Desktop -r | find /c "basic"
yara64.exe "rule basic1.yar" C:\Users\user\Desktop -r | find /c "basic"
yara64.exe "rule basic2.yar" C:\Users\user\Desktop -r | find /c "basic"
yara64.exe "rule basic2.yar" C:\Users\user\Desktop -r -s | find /c "basic"
yara64.exe "rule basic2.yar" C:\Users\user\Desktop -r -s
yara64.exe "rule basic.yar" C:\Users\user\Desktop -r -s
yara64.exe "rule basic.yar" C:\Users\user\Downloads -r -s
yara64.exe "rule basic.yar" C:\Users\user\Downloads -r
yara64.exe "rule basic.yar" C:\Users\user\Downloads -r -s


* yara rule 설정 후 스캔 - 파일 찾는데도 유용하다.
* -r 옵션 : 하위 디렉토리까지 스캔
* -s : 해당 파일에 매칭되는 스트링 

yara for 문 활용
* 오탐을 줄이기 위함
* xor key가 탐지되고 두번쨰 근거리에 100바이트에 있어야 한다는 룰을 짯다면, 첫번째 히트, 두번째 히트, 100바이트안에 함수코드가 있는지.
* 없으면 미스, 있으면 히트 , true를 반환

yara flesize

yara tag 

-t "태그명"

rule 안에 해당 태그명이 있는 rule만 돈다.

야라는 true or false만 탐지하기 때문에 확실한 장점이 있다. 유사도 측면에서는 떨어짐

* 서로 다른파일을 including 시켜서 여러 룰을 혼합하여 사용 가능, 각 threat group 별로 rule 파일별로 다 있다. 
* PE 속성에 대한 파일을 판단하는. PE Module, dll 파일 등, 운영체제, subsystem(xbox인지 gui인지 cui인지), yara가 다 탐지 가능
* upx 패커 등 패킹도 가능 : sections
* pe module 같은 경우 import 해주어야 한다. ex) import "pe"
* math 모듈도 있다. ex) import "math" , 암호화, 패킹, 복잡성이 올라감, 수학적인 부분에서. 엔트로피 ,cuckoo 탐지에 있음, 더미다로 패킹을 할 때 암호화 기능이 있다, 가상화머신에서 돌아가는지 등에 따라 엔트로피가 달라짐

* yara python
yara를 파이썬과 연동하여 자동화 작업이 가능



* 실습 - pcap.zip 파일 내에 pcap 파일에서 google.com 문자열을 포함하고 있는 패킷 파일을 찾아라.

rule googlefind
{
    strings:
        $a = "google.com"

    condition:
        $a
}

> yara64.exe "rule googlefind.yar" C:\users\user\Desktop\pcap


다음주 수업 - snort 깔아오기



rule example
{
    strings:
        $text_string = "domain" ascii wide fullword nocase

    condition:
        $text_string
}

계속정리필요..