YARA Console Branch - Docker

README.md

Build

• Save below Dockerfile gist as Dockerfile
• Build docker build Dockerfile -t yara_console

Run

docker run -v <local_rule_dir>:/home/yara/rules -v <local_malware_dir>:/home/yara/malware -t yara_console <rule_file_name.yar> ../malware/<malware_file_name>

Dockerfile

FROM debian:bookworm-slim

RUN apt update && apt -y upgrade && apt install -y git automake libtool make gcc pkg-config libssl-dev libjansson-dev libmagic-dev bash && apt clean

RUN addgroup --gid 1835 yara; adduser --system -uid 1835 --gid 1835 --shell /bin/bash yara
RUN mkdir /home/yara/app && mkdir /home/yara/rules && mkdir /home/yara/malware
RUN chown -R yara:yara /home/yara/app; chown -R yara:yara /home/yara/rules; chown -R yara:yara /home/yara/malware;

USER yara

WORKDIR /home/yara/app
RUN git clone https://github.com/wxsBSD/yara.git console

WORKDIR /home/yara/app/console
RUN git checkout console
RUN ./bootstrap.sh && ./configure --enable-cuckoo --enable-magic --enable-dotnet --enable-console
RUN make

USER root
RUN make install

RUN echo "/usr/local/lib" >> /etc/ld.so.conf; ldconfig

USER yara
WORKDIR /home/yara/rules
ENTRYPOINT [ "yara"]

rule.yar

import "pe"
import "console"

rule console_test {
    meta:
      author = "xorhex"
      description = "Example rule showing how to use the YARA console plugin"
    strings:
      $1 = { 48 83 3D 54 }
    condition:
      console.hex(int32(@1))
}