Last active
June 26, 2023 12:24
-
-
Save barryirwin/52e52e2dd0a15eba915958bcfed1c951 to your computer and use it in GitHub Desktop.
Demo script for generating email based off a Yara scan complete with two samples to trigger some basic rules
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?php | |
phpinfo(); | |
php?> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
eval(gunzip(base64_decode("Hello")); | |
"gzinflate(base64_decode(" | |
";eval( | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
# Script scans system using yara | |
# (c) 2023 bvi at moria.org | |
# v0.1 | |
#check required files are present | |
if [ ! -f /usr/bin/yara ]; then | |
echo ERROR | |
echo clamscan binary not found: /usr/bin/yara | |
echo Please check Yara is installed and paths are correct | |
exit 1 | |
fi | |
if [ ! -f /usr/bin/ssmtp ]; then | |
echo ERROR | |
echo ssmtp not found: /usr/bsbin/ssmtp | |
echo Unable to send email, please check smtp is correclty installed and configured | |
exit 1 | |
fi | |
logfile=/var/log/yarascan.log | |
# Who to send email to | |
target=your@email.domain | |
#directory where yara rules are | |
rulesdir=/root/yararules | |
targetdir=/var/www | |
# How many days worth of logs to keep | |
maxlogdays=15 #notimplemented | |
## no further configuration below here | |
date=$(date '+%Y%M%d') | |
yesterday=$(date -d yesterday '+%Y%M%d') | |
host=$(hostname) | |
rfcdate=$(date -R) | |
# | |
# --infected -i Only print infected files | |
# --suppress-ok-results -o Skip printing OK files | |
# --stdout Write to stdout instead of stderr. Does not affect 'debug' messages. | |
# --log=FILE -l FILE Save scan report to FILE | |
# make sure that logs are named properly | |
if [ -f $logfile ]; then | |
mv $logfile $logfile.yesterday | |
fi | |
# delete any logs older than $maxlogdays | |
#find $logfile.* -ctime $maxlogdays -del {} | |
#run Yara | |
# | |
/usr/bin/yara -r $rulesdir/*.yar $targetdir > $logfile | |
#catch the returncode from clamav | |
result=$? | |
#Yara only seems to return 0 | |
status="" | |
case $result in | |
0) | |
status="[Success]" # all good | |
;; | |
*) | |
status="[Unknown Case]" #something very odd happended | |
;; | |
esac | |
## construct and send email | |
echo -n "Date: $rfcdate" > /tmp/yarascanemail.$$ | |
#date -R >> > /tmp/yarascanemail.$$ | |
echo "From: YARA Scanner <postmaster@localhost>" >> /tmp/yarascanemail.$$ | |
echo "To: $target" >> /tmp/yarascanemail.$$ | |
echo "Subject: [$host] Yara Scan $status" >> /tmp/yarascanemail.$$ | |
if [ $result -eq 1 ] # MALWARE found so hilight it. | |
then | |
echo "=-=-=-=-=- MALWARE FOUND -=-=-=-=-=" >> /tmp/yarascanemail.$$ | |
grep "FOUND$" $logfile >> /tmp/yarascanemail.$$ | |
echo "=-=-=-=-=- MALWARE FOUND -=-=-=-=-=" >> /tmp/yarascanemail.$$ | |
fi | |
#tail -12 $logfile >> /tmp/yarascanemail.$$ | |
cat $logfile >> /tmp/yarascanemail.$$ | |
echo "\nFurther details:\n============================\n" >> /tmp/yarascanemail.$$ | |
cat $logfile | grep -v "Empty file" | grep -v "Symbolic link" | grep -v "FOUND$"| head -n 11 >> /tmp/yarascanemail.$$ | |
## send email | |
cat /tmp/yarascanemail.$$ | /usr/sbin/ssmtp $target | |
if [ $? -eq 0 ]; | |
then | |
rm /tmp/yarascanemail.$$ | |
mv $logfile $logfile.$date | |
exit | |
else | |
echo An error may have occured sending email. | |
echo Manual inspection of log files should take place | |
echo see: /tmp/yarascanemail.$$ and $logfile and/or $logfile.$date | |
exit 1 | |
fi | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment