I wrote profiling applications over SSL recently and this is my attempt at doing so in Bro. I haven't written a Bro script before this one so I'm betting I've got a bunch of things wrong here. The code comes in two parts. The first is the main script which has the core logic. The second part is the "local" script which defines the application profiles you are interested in.
@load base/protocols/conn
@load base/protocols/ssl
@load base/frameworks/notice
Here's an example of how part of yrrc works. Starting with these rules:
wxs@wxs-mbp yrrc % cat rules/test.yara
rule a {
meta:
sample = "24c422e681f1c1bd08286c7aaf5d23a5f088dcdb0b219806b3a9e579244f00c5"
condition:
true
}
I'd like to explain some of the new things I've added to YARA which will be in the next release. This is in addition to the stuff I've written about here, which are already in 3.2.0. If you have not read that I suggest you start there as it will tie in nicely with some of the things I'm going to mention here. Lastly, some of these things are not yet merged into master but I expect them to be very soon.
There is a new module in YARA called math. The intention of this module is to expose some functions which you can use in your rules to calculate specific properties.
In particular it provides these functions for calculating different values:
import platform
import yara
print(f"Platform version: {platform.version()}")
print(f"Python version: {platform.python_version()}")
print(f"YARA version: {yara.YARA_VERSION}")
rules = yara.compile(source='rule a { strings: $a = "foo" fullword condition: $a }')
for c in range(256):
#include <ctype.h>
#include <stdio.h>
int main(void) {
for (int i = 0; i <= 255; i++)
printf("0x%02x %u\n", i, !isalnum(i));
return 0;
}
import platform
import yara
print(f"Platform version: {platform.version()}")
print(f"Python version: {platform.python_version()}")
print(f"YARA version: {yara.YARA_VERSION}")
r = """
Back in January I wrote bf2y which is a brainfuck to YARA compiler. bf2y takes in an arbitrary brainfuck program and outputs the instructions to execute the brainfuck code on the YARA virtual machine (well, a slightly modified VM). If you want the full details of how it works go read the code, but I want to talk about writing a Fibonacii number generator for it.
One way to find PE files that start at offset 0 and have a single byte xor key:
rule single_byte_xor_pe_and_mz {
meta:
author = "Wesley Shields <wxs@atarininja.org>"
description = "Look for single byte xor of a PE starting at offset 0"
strings:
$b = "PE\x00\x00" xor(0x01-0xff)
condition:
This started with a tweet from Steve Miller (https://twitter.com/stvemillertime/status/1508441489923313664) in which he asked what is better for performance: 1 rule with 10k strings or 10k rules with 1 string each? Based upon my understanding of YARA I guessed it wouldn't matter for search time and the difference in bytecode evaluation would be in the noise. Effectively, I guessed you would not be able to tell the difference between the two.
Costin was the first to provide actual results and he claimed a 35 second vs 31 second difference between the two (https://twitter.com/craiu/status/1508445059129163783). That didn't make much sense to me so I asked for his rules so I could test them. He provided me with two rules files (10k.yara and 10kv2.yara) and a text file with a bunch of strings in it.
This is my attempt to replicate his findings and also document why he was getting the warning he was getting. Because I wanted the run to take a bit of time I ended up not using his text file with all the strings (it
wxs@wxs-mbp yara % cat rules/sets.yara
rule a0 { condition: false }
rule a1 { condition: true }
rule b { condition: 1 of (a*) }
rule c { condition: 2 of (a*) }
rule d { condition: 50% of (a*) }
rule e { condition: 1 of (a1) }
rule f { condition: all of (a1, e) }
wxs@wxs-mbp yara %