Skip to content

Instantly share code, notes, and snippets.

View wxsBSD's full-sized avatar

Wesley Shields wxsBSD

183 followers · 1 following
View GitHub Profile
@wxsBSD
wxsBSD / gist:a3ba7f4733125813e58a
Last active July 15, 2019 21:30
YARA and osquery

Note

This is outdated. The canonical source of documentation on this is over here.

Introduction

I recently put YARA inside osquery and thought I would provide some details on how to use it. There are two YARA related tables in osquery, which serve very different purposes. The first table, called yara_events, uses osquery's pub-sub framework to monitor for filesystem changes and will execute YARA when a file change event fires. The second table, called yara, is an on-demand YARA scanning table.

Configuration

@wxsBSD
wxsBSD / keybase.md
Created May 8, 2019 00:30

Keybase proof

I hereby claim:

  • I am wxsbsd on github.
  • I am wxs (https://keybase.io/wxs) on keybase.
  • I have a public key whose fingerprint is 96D1 2E6B F61C 2F3D 83EF 8F0B BE54 310C 17F0 AA37

To claim this, I am signing this object:

@wxsBSD
wxsBSD / gist:6d5e777afc31b3cf46d0
Last active July 14, 2018 16:56
Inferring contents of SSL sessions

Disclaimer

Everything I'm talking about below is not new, but I thought it was an interesting idea and realized I already had the majority of pieces in place to play with it. I want to share what I learned. If you are at all interested in exploring this topic further a good paper on it is here. Also, a few years ago IOActive published a blog post on the technique which is also a good read. Finally, the last two paragraphs in section 6 of RFC5246 clearly document the problem the best I've been able to find:

Any protocol designed for use over TLS must be carefully designed to
deal with all possible attacks against it.  As a practical matter,
this means that the protocol designer must be aware of what security
properties TLS does and does not provide and cannot safely rely on
the latter.
@wxsBSD
wxsBSD / gist:8c92d10dfad9d4b38b04
Last active August 29, 2015 14:18

I was recently asked how to check the entropy of a given section in YARA, and because the person who asked is clearly looking to learn how to fish instead of just being given fish I went into some detail on the explanation. With his permission I am sharing my response here.

It's a combination of a number of things:

math.in_range(test, lower, upper):

Given a test value, check to see if it is in range of the lower and upper bounds. This is an inclusive test.

math.entropy(offset, length):

@wxsBSD
wxsBSD / gist:476c652a772465075d46
Last active August 29, 2015 14:18

Here's what I was thinking of doing...

{
  // Description of the YARA rules to use. Each key is a group name used in additional_monitoring
  // or in scheduled_queries if you want.
  "yara": {
    "sig_group_1": [ "foo.sig", "bar.sig" ],
    "sig_group_2": [ "baz.sig" ]
  },
@wxsBSD
wxsBSD / gist:4d5d7677578f80cdf82a
Created January 15, 2015 02:06

Someone recently asked me if it is possible to test if a string is in a section or not in YARA. This is my attempt at an answer, and please note that some of the capabilities are still pending a merge to master.

// Make sure the string is in the .rsrc section.
rule test_in {
  strings:
    $a = { DE AD BE EF 00 00 DE AD BE EF }
  condition:
    $a in ((pe.sections[pe.section_index(".rsrc")].raw_data_offset)..(pe.sections[pe.section_index(".rsrc")].raw_data_offset + pe.sections[pe.section_index(".rsrc")].raw_data_size))
}
@wxsBSD
wxsBSD / gist:6ba82bcb8f658ed71b84
Last active August 29, 2015 14:09

With the release of YARA 3.2.0 I wanted to show people how to utilize some of the new features. In particular I'll show an example for rich_signatures, import hashing and Authenticode signatures.

You'll need both of these for obvious reasons. :)

import "pe"
import "hash"