integrating bro into yara
Switch branches/tags
Nothing to show
Clone or download
Latest commit 0e06206 Dec 9, 2014
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
CMakeLists.txt Update CMakeLists.txt Dec 8, 2014
Plugin.cc initial commit Dec 8, 2014
README.md Update README.md Dec 9, 2014
broyara.cc simple event for rule match Dec 9, 2014
broyara.h simple event for rule match Dec 9, 2014
events.bif simple event for rule match Dec 9, 2014

README.md

broyara

integrating bro into yara

I assume yara as been installed into /usr/local/lib/.

From the default bro source code (git cloned) add the following to src/file_analysis/CMakeLists.txt

add_subdirectory(data_event)
add_subdirectory(extract)
add_subdirectory(hash)
add_subdirectory(yara)
add_subdirectory(unified2)
add_subdirectory(x509)

I've also amended src/CMakeLists file

if ( bro_HAVE_OBJECT_LIBRARIES )
    add_executable(bro ${bro_SRCS} ${bro_HEADERS} ${bro_SUBDIRS})
    target_link_libraries(bro ${brodeps} ${CMAKE_THREAD_LIBS_INIT} ${CMAKE_DL_LIBS} yara)
else ()
    add_executable(bro ${bro_SRCS} ${bro_HEADERS})
    target_link_libraries(bro ${bro_SUBDIRS} ${brodeps} ${CMAKE_THREAD_LIBS_INIT} ${CMAKE_DL_LIBS} yara)
endif ()

You can run the yara rule analyser with a bro file like such - we assume the rule file is compiled:

redef record Files::AnalyzerArgs += 
	{
	yara_rules_file: string &optional;
	};

event file_new(f: fa_file)
    {
        Files::add_analyzer(f, Files::ANALYZER_YARA,[$yara_rules_file="/path/to/test.rule_c"]);
    }



event file_yaraalert(f: fa_file, rule_name: string)
	{
		print "file_yara_alert ", f$id," ",  rule_name;
	}

gives the output:

$ bro -r ~/data/pcap/intel.pcap broscipts/yara_tst.bro 
file_yara_alert , FqIk1M1mN4bdnsNK46,  , silent_banker
file_yara_alert , FxxvP43nXcYzL16gS6,  , silent_banker
file_yara_alert , FhKaLp4VGYlFgz0cj,  , silent_banker
file_yara_alert , FYWSmEkdLooAtsOd9,  , silent_banker
file_yara_alert , FC58QqHDkh3Z5ZCw,  , silent_banker
file_yara_alert , FFoGa51pLHJCHF68B,  , silent_banker
file_yara_alert , FfArYal4ANngQl0de,  , silent_banker
file_yara_alert , FGyLsu3kMoquT6RZda,  , silent_banker
1417869923.470556 warning in /usr/local/bro/share/bro/base/misc/find-checksum-offloading.bro, line 54: Your trace file likely has invalid TCP checksums, most likely from NIC checksum offloading.
file_yara_alert , F2PvdW1d2ZwYk6B0q9,  , silent_banker
file_yara_alert , FDWZJXmIc88eUN91i,  , silent_banker
file_yara_alert , F2PvdW1d2ZwYk6B0q9,  , silent_banker
file_yara_alert , FtULZK1hRBg008up1f,  , silent_banker
file_yara_alert , FJX6Dk435K8Xe05kp5,  , silent_banker