- Save below Dockerfile gist as
Dockerfile
- Build
docker build Dockerfile -t yara_console
docker run -v <local_rule_dir>:/home/yara/rules -v <local_malware_dir>:/home/yara/malware -t yara_console <rule_file_name.yar> ../malware/<malware_file_name>
FROM debian:bookworm-slim | |
RUN apt update && apt -y upgrade && apt install -y git automake libtool make gcc pkg-config libssl-dev libjansson-dev libmagic-dev bash && apt clean | |
RUN addgroup --gid 1835 yara; adduser --system -uid 1835 --gid 1835 --shell /bin/bash yara | |
RUN mkdir /home/yara/app && mkdir /home/yara/rules && mkdir /home/yara/malware | |
RUN chown -R yara:yara /home/yara/app; chown -R yara:yara /home/yara/rules; chown -R yara:yara /home/yara/malware; | |
USER yara | |
WORKDIR /home/yara/app | |
RUN git clone https://github.com/wxsBSD/yara.git console | |
WORKDIR /home/yara/app/console | |
RUN git checkout console | |
RUN ./bootstrap.sh && ./configure --enable-cuckoo --enable-magic --enable-dotnet --enable-console | |
RUN make | |
USER root | |
RUN make install | |
RUN echo "/usr/local/lib" >> /etc/ld.so.conf; ldconfig | |
USER yara | |
WORKDIR /home/yara/rules | |
ENTRYPOINT [ "yara"] |
import "pe" | |
import "console" | |
rule console_test { | |
meta: | |
author = "xorhex" | |
description = "Example rule showing how to use the YARA console plugin" | |
strings: | |
$1 = { 48 83 3D 54 } | |
condition: | |
console.hex(int32(@1)) | |
} |