[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[Libguestfs] [PATCH 0/6] Feature: Yara file scanning



Yara is a rule based scanning engine aimed to help malware analysts in finding and classifying interesting samples.

https://github.com/VirusTotal/yara

This series adds Yara support to Libguestfs allowing to upload sets of rules and scanning files against them.

Currently provided APIs:

 - yara_load: loads a set of rules
 - yara_destroy: free resources allocated by loaded rules
 - yara_scan: scans a file with the loaded rules

Future APIs:

 - yara_scan_recursive: scan the entire FS starting from the given point (could it be a flag in yara_scan?)
 - yara_scan_inode: use TSK to scan files by inodes allowing to scan deleted or hidden files

Code ready for review, available here:

https://github.com/noxdafox/libguestfs/tree/yara


Matteo Cafasso (6):
  appliance: add libyara dependency
  New API: yara_load
  New API: yara_destroy
  New API: internal_yara_scan
  New API: yara_scan
  yara_scan: added API tests

 appliance/packagelist.in                 |   1 +
 configure.ac                             |   1 +
 daemon/Makefile.am                       |   4 +-
 daemon/yara.c                            | 318 +++++++++++++++++++++++++++++++
 generator/actions.ml                     |  59 ++++++
 generator/structs.ml                     |   9 +
 gobject/Makefile.inc                     |   2 +
 java/Makefile.inc                        |   1 +
 java/com/redhat/et/libguestfs/.gitignore |   1 +
 m4/guestfs_daemon.m4                     |   8 +
 src/MAX_PROC_NR                          |   2 +-
 src/Makefile.am                          |   1 +
 src/yara.c                               | 140 ++++++++++++++
 tests/yara/Makefile.am                   |  26 +++
 tests/yara/test-yara-scan.sh             |  72 +++++++
 15 files changed, 643 insertions(+), 2 deletions(-)
 create mode 100644 daemon/yara.c
 create mode 100644 src/yara.c
 create mode 100644 tests/yara/Makefile.am
 create mode 100755 tests/yara/test-yara-scan.sh

--
2.10.1


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]