如何使用yaraQA提升Yara規則的質量和性能
作者:Alpha_h4ck
很多Yara規則可能在語法上是正確的,但功能很可能仍然存在問題。而yaraQA則會試圖找到這些問題并將其報告給YARA規則集的開發者或維護者。
關于yaraQA
yaraQA是一款功能強大的Yara規則分析工具,在該工具的幫助下,廣大研究人員可以輕松提升Yara規則的質量和性能。
很多Yara規則可能在語法上是正確的,但功能很可能仍然存在問題。而yaraQA則會試圖找到這些問題并將其報告給YARA規則集的開發者或維護者。
yaraQA的功能
yaraQA會嘗試檢測下列問題:
1、語法正確,但由于條件中的錯誤,從而導致不匹配的規則;
2、使用可能錯誤的字符串和修飾符組合的規則(例如$ = "\\Debug\\" fullword);
3、由短原子、重復字符或循環引起的性能問題(例如$ = "AA"; 可以使用--ignore-performance從分析中排除);
工具安裝
由于該工具基于Python 3開發,因此我們首先需要在本地設備上安裝并配置好Python 3環境。接下來,廣大研究人員可以使用下列命令將該項目源碼克隆至本地:
git clone https://github.com/Neo23x0/yaraQA.git然后切換到項目目錄中,使用pip工具和項目提供的requirements.txt文件安裝該工具所需的其他依賴組件:
cd yaraQA/
pip install -r requirements.txt工具使用幫助
usage: yaraQA.py [-h] [-f yara files [yara files ...]] [-d yara files [yara files ...]] [-o outfile] [-b baseline] [-l level]
[--ignore-performance] [--debug]
YARA RULE ANALYZER
optional arguments:
-h, --help 顯示工具幫助信息和退出
-f yara files [yara files ...]
輸入文件路徑(一個或多個Yara規則,由空格分隔)
-d yara files [yara files ...]
輸入目錄路徑(Yara規則目錄,由空格分隔)
-o outfile 分析結果輸出文件(JSON格式,默認為'yaraQA-issues.json')
-b baseline 使用一個問題基線來過濾分析結果中的問題
-l level 要顯示的最低級別(1=基本信息, 2=警告, 3=嚴重)
--ignore-performance 屏蔽與性能相關的規則問題
--debug 調試模式輸出工具使用樣例
python3 yaraQA.py -d ./test/屏蔽所有性能相關的問題,僅顯示邏輯問題:
python3 yaraQA.py -d ./test/ --ignore-performance屏蔽所有信息性字符問題:
python3 yaraQA.py -d ./test/ -level 2使用一個基線,僅顯示新的問題,基線文件需要是一個.json文件:
python3 yaraQA.py -d ./test/ -b yaraQA-reviewed-issues.json工具輸出
yaraQA會將檢測到的問題寫入一個名為yaraQA-issues.json的文件中。
下面給出的是yaraQA生成的JSON格式結果:
[
{
"rule": "Demo_Rule_1_Fullword_PDB",
"id": "SM1",
"issue": "The rule uses a PDB string with the modifier 'wide'. PDB strings are always included as ASCII strings. The 'wide' keyword is unneeded.",
"element": {
"name": "$s1",
"value": "\\\\i386\\\\mimidrv.pdb",
"type": "text",
"modifiers": [
"ascii",
"wide",
"fullword"
]
},
"level": "info",
"type": "logic",
"recommendation": "Remove the 'wide' modifier"
},
{
"rule": "Demo_Rule_1_Fullword_PDB",
"id": "SM2",
"issue": "The rule uses a PDB string with the modifier 'fullword' but it starts with two backslashes and thus the modifier could lead to a dysfunctional rule.",
"element": {
"name": "$s1",
"value": "\\\\i386\\\\mimidrv.pdb",
"type": "text",
"modifiers": [
"ascii",
"wide",
"fullword"
]
},
"level": "warning",
"type": "logic",
"recommendation": "Remove the 'fullword' modifier"
},
{
"rule": "Demo_Rule_2_Short_Atom",
"id": "PA2",
"issue": "The rule contains a string that turns out to be a very short atom, which could cause a reduced performance of the complete rule set or increased memory usage.",
"element": {
"name": "$s1",
"value": "{ 01 02 03 }",
"type": "byte"
},
"level": "warning",
"type": "performance",
"recommendation": "Try to avoid using such short atoms, by e.g. adding a few more bytes to the beginning or the end (e.g. add a binary 0 in front or a space after the string). Every additional byte helps."
},
{
"rule": "Demo_Rule_3_Fullword_FilePath_Section",
"id": "SM3",
"issue": "The rule uses a string with the modifier 'fullword' but it starts and ends with two backslashes and thus the modifier could lead to a dysfunctional rule.",
"element": {
"name": "$s1",
"value": "\\\\ZombieBoy\\\\",
"type": "text",
"modifiers": [
"ascii",
"fullword"
]
},
"level": "warning",
"type": "logic",
"recommendation": "Remove the 'fullword' modifier"
},
{
"rule": "Demo_Rule_4_Condition_Never_Matches",
"id": "CE1",
"issue": "The rule uses a condition that will never match",
"element": {
"condition_segment": "2 of",
"num_of_strings": 1
},
"level": "error",
"type": "logic",
"recommendation": "Fix the condition"
},
{
"rule": "Demo_Rule_5_Condition_Short_String_At_Pos",
"id": "PA1",
"issue": "This rule looks for a short string at a particular position. A short string represents a short atom and could be rewritten to an expression using uint(x) at position.",
"element": {
"condition_segment": "$mz at 0",
"string": "$mz",
"value": "MZ"
},
"level": "warning",
"type": "performance",
"recommendation": ""
},
{
"rule": "Demo_Rule_5_Condition_Short_String_At_Pos",
"id": "PA2",
"issue": "The rule contains a string that turns out to be a very short atom, which could cause a reduced performance of the complete rule set or increased memory usage.",
"element": {
"name": "$mz",
"value": "MZ",
"type": "text",
"modifiers": [
"ascii"
]
},
"level": "warning",
"type": "performance",
"recommendation": "Try to avoid using such short atoms, by e.g. adding a few more bytes to the beginning or the end (e.g. add a binary 0 in front or a space after the string). Every additional byte helps."
},
{
"rule": "Demo_Rule_6_Condition_Short_Byte_At_Pos",
"id": "PA1",
"issue": "This rule looks for a short string at a particular position. A short string represents a short atom and could be rewritten to an expression using uint(x) at position.",
"element": {
"condition_segment": "$mz at 0",
"string": "$mz",
"value": "{ 4d 5a }"
},
"level": "warning",
"type": "performance",
"recommendation": ""
},
{
"rule": "Demo_Rule_6_Condition_Short_Byte_At_Pos",
"id": "PA2",
"issue": "The rule contains a string that turns out to be a very short atom, which could cause a reduced performance of the complete rule set or increased memory usage.",
"element": {
"name": "$mz",
"value": "{ 4d 5a }",
"type": "byte"
},
"level": "warning",
"type": "performance",
"recommendation": "Try to avoid using such short atoms, by e.g. adding a few more bytes to the beginning or the end (e.g. add a binary 0 in front or a space after the string). Every additional byte helps."
},
{
"rule": "Demo_Rule_6_Condition_Short_Byte_At_Pos",
"id": "SM3",
"issue": "The rule uses a string with the modifier 'fullword' but it starts and ends with two backslashes and thus the modifier could lead to a dysfunctional rule.",
"element": {
"name": "$s1",
"value": "\\\\Section\\\\in\\\\Path\\\\",
"type": "text",
"modifiers": [
"ascii",
"fullword"
]
},
"level": "warning",
"type": "logic",
"recommendation": "Remove the 'fullword' modifier"
}
]包含問題的規則樣例
項目專門提供了包含問題的規則樣例,可以在./test目錄中找到。
工具運行截圖
許可證協議
本項目的開發與發布遵循GPL-3.0開源許可證協議。
責任編輯:武曉燕
來源:
FreeBuf.COM
