luca-m/generateYara.sh

## generateYara.sh
#!/bin/bash
##
## Script to automatically generate Yara rule using Binlex (https://github.com/c3rb3ru5d3d53c/binlex).
## It will output a .yar file suitable to be loaded on yaraify.
##
## Usage:
##
##  ./generateYara.sh "RUNELANE" "FILEPATH" "TYPE" "NTRAITS"
## Parameters:
##      RULENAME     the name of the rule
##      FILEPATH     the file path
##      TYPE         type of file, one of elf:x86 elf:x86_64 pe:x86 pe:x86_64 raw:x86 raw:x86_64 raw:cil pe:cil auto .
##      NTRATIS      number of binlex's traits to consider for yara rule generation
##
#!/bin/bash
tmpf=$(mktemp)
author="$(whoami)"
tlp="CLEAR"
uuid="$(uuidgen -r)"
toptraits="$4"
ftype="$3"
fpath="$2"
name="$1"
hashh="$(md5sum "${fpath}"|awk '{print $1}')"
if [ -z "${toptraits}" ]; then
  toptraits="10"
fi
if [ -z "${ftype}" ]; then
  ftype="auto"
  #elf:x86 elf:x86_64 pe:x86 pe:x86_64 raw:x86 raw:x86_64 raw:cil pe:cil auto
fi
echo "[+] generating yara \"${name}_${uuid}.yar\" for file \"${fpath}\" (t:${ftype},n:${toptraits},h:${hashh})" >&2
binlex -m "${ftype}" -i "${fpath}" | jq -r "select(.size > 16 and .size < 32) | .trait" | head -n "${toptraits}" | blyara --name "${name}" -m "date" "$(date -I)" -m "yarahub_uuid" "${uuid}" -m "yarahub_license" "CC0 1.0" -m "yarahub_rule_matching_tlp" "${tlp}" -m "yarahub_rule_sharing_tlp" "${tlp}" -m "yarahub_reference_md5" "${hashh}" -m "author" "${author}" -m "tlp" "${tlp}" -m "hash_md5" "${hashh}" -c "$( echo "${toptraits} / 2" | bc )" | tee "${name}_${uuid}.yar"
	#!/bin/bash
	##
	## Script to automatically generate Yara rule using Binlex (https://github.com/c3rb3ru5d3d53c/binlex).
	## It will output a .yar file suitable to be loaded on yaraify.
	##
	## Usage:
	##
	## ./generateYara.sh "RUNELANE" "FILEPATH" "TYPE" "NTRAITS"
	## Parameters:
	## RULENAME the name of the rule
	## FILEPATH the file path
	## TYPE type of file, one of elf:x86 elf:x86_64 pe:x86 pe:x86_64 raw:x86 raw:x86_64 raw:cil pe:cil auto .
	## NTRATIS number of binlex's traits to consider for yara rule generation
	##
	#!/bin/bash
	tmpf=$(mktemp)
	author="$(whoami)"
	tlp="CLEAR"
	uuid="$(uuidgen -r)"
	toptraits="$4"
	ftype="$3"
	fpath="$2"
	name="$1"
	hashh="$(md5sum "${fpath}"\|awk '{print $1}')"
	if [ -z "${toptraits}" ]; then
	toptraits="10"
	fi
	if [ -z "${ftype}" ]; then
	ftype="auto"
	#elf:x86 elf:x86_64 pe:x86 pe:x86_64 raw:x86 raw:x86_64 raw:cil pe:cil auto
	fi
	echo "[+] generating yara \"${name}_${uuid}.yar\" for file \"${fpath}\" (t:${ftype},n:${toptraits},h:${hashh})" >&2
	binlex -m "${ftype}" -i "${fpath}" \| jq -r "select(.size > 16 and .size < 32) \| .trait" \| head -n "${toptraits}" \| blyara --name "${name}" -m "date" "$(date -I)" -m "yarahub_uuid" "${uuid}" -m "yarahub_license" "CC0 1.0" -m "yarahub_rule_matching_tlp" "${tlp}" -m "yarahub_rule_sharing_tlp" "${tlp}" -m "yarahub_reference_md5" "${hashh}" -m "author" "${author}" -m "tlp" "${tlp}" -m "hash_md5" "${hashh}" -c "$( echo "${toptraits} / 2" \| bc )" \| tee "${name}_${uuid}.yar"