Showing posts with label yara. Show all posts
Showing posts with label yara. Show all posts

Tuesday, October 30, 2018

YARA - Rule Management



A django web interface for managing Yara rules. The manager enables users to:

* Search for specific rules based on rule characteristics
* Categorize and organize rules easily and in bulk
* Make bulk edits on desired/filtered rules
* Track characteristics of the entire rule repository
* Automatically prevent and detect duplicate entries
Ref / Download Link :



Web based Manager for Yara Rules.

Ref / Download Link :


Web is a powerful website framework to write, test and organize your Yara rules. It features syntax highlighting, team collaboration features and publishing workflow.

  • Self-hosted solution (PHP/Mysql server needed)
  • Can run on Synology NAS (with Web Station)
  • REST API (submit, delete, update, get), with API Key
  • Authentication with modified UserCake library
  • Users Rights management
  • Easy to customize, with only one config file to change
  • Files management (creation/edition/removal)
  • Files exports
  • Rules management (creation/edition/removal)
  • Rules viewer
  • Rules export
  • Rules import
  • Give a name on rules/files copy
  • Stats page
  • Search page (with magic field)
  • Permissions (contributor, publisher, ...)
  • History page
  • Recycle Bin
  • Syntax check (with yara pythong)
  • Rule test (with yara pythong)
  • Tests page (string -ANSI/UNICODE-, Hex strings, Files -local storage-)
  • User comments (with conversations)

 Ref  / Download Link :


is a script and library that lexes and parses a file consisting of one more YARA rules into a python dictionary representation. The goal of this tool is to make it easier to perform bulk operations or transformations of large sets of YARA rules, such as extracting indicators, updating attributes, and analyzing a corpus. Other applications include linters and dependency checkers.

Ref / Download Link :

Thursday, March 13, 2014

Free Toolkit For Incident Response - Crowd Response

                     is a community-based platform that may eventually support as many as 25 software modules, each serving a different aspect of the incident response process, Kurtz says. This week's release includes three modules: @dirtlist, @pslist, and @yara.


This is the directory-listing module. This sounds quite simple, but it is actually extremely powerful.
The CrowdResponse DirList module enables the following features:
  • Verify and display digital signature information
  • Utilize a path exclusion/inclusion regular expression filter that acts on the full path name
  • Use a file wildcard mask to limit processing to specific file name components
  • SHA256 and MD5 file hashing
  • Perform "quick" hash of only the first 512 bytes of the file
  • Option to not hash files greater than a given size
  • Display application resource information
  • Select recursive listings and control recursion depth
  • Display creation, modification and access times for files
  • Optionally process only Windows executable (PE) files


This is the active running process listing module.
The CrowdResponse PSList module enables the following features:
  • Verify the digital signature of the process executable
  • Obtain process command line
  • Obtain detailed PE file information for each process executable
  • Perform SHA256 and MD5 hashes of process executables
  • Enumerate loaded modules for each process
  • Control PE output detail level of function names for imports and exports
  • Control PE output detail level of resource information
  • Control format (nested or flat) for PE file resource information
  • Check for process thread injection


The YARA processing module is the one I am most excited about. YARA will be familiar to many as an incredibly useful tool aimed at helping malware researchers identify and classify malware. It can act on files on disk or in-memory process images and runs a set of pattern matching rules against the target of investigation.
While we have incorporated a fully functional version of YARA into CrowdResponse, we have made it very simple to use for analyzing all active process binaries and memory. Along with the regular ability to target a specific single-process ID or one or more files, we can automatically enumerate all running processes and launch YARA rules against them all by simply specifying a single tool option. This enables quick and easy evaluation of a system without resorting to cumbersome scripting. This functionality greatly speeds the scan time and aids a responder in quickly pinpointing adversary activity on a suspect system.
The CrowdResponse YARA module enables the following features:
  • Scan memory of all currently active running processes
  • Scan on-disk files of all currently active running processes
  • Download YARA rule files from a provided URL
  • Control target path recursion depth
  • Utilize a target path exclusion/inclusion regular expression filter that acts on the full path name
  • Use a file target wildcard mask to limit processing to specific file name components
  • Option to only show positive hits
  • Option to specify YARA rule file name mask
  • Utilize a YARA file inclusion regular expression filter that acts on the full path name
  • Scan all loaded module files of active processes
  • Operate on a single process ID
  • Optional recursion into provided YARA rules directory

Crowd Response is a lightweight Windows console application designed to aid in the gathering of system information for incident response and security engagements. The application contains numerous modules, each of them invoked by providing specific command line parameters to the main application. Modules are all built into the main application in C++ language utilizing the Win32 API to achieve their functionality.
Crowd Response results may be viewed in a variety of ways, particularly when leveraging CrowdStrike’s CRconvert. By default, output from Crowd Response is provided in an XML file. CRconvert will flatten this XML to CSV, TSV or HTML, if desired. The various format options were created to support the different needs and analysis preferences of the end user.
Supported Operating Systems: The tool runs on 32 bit and 64 bit versions of Windows from XP and above.

Download Link : Click Here
  • MD5 87b58fb3da849cedff3a107bfe600e9b
  • SHA1 08e5bed8e7ba7316e6ff23610561b14057a58d4c
  • SHA256 c5ab1006f47bba30fe23bccf9eebedf824efa3bc6212989c748aa147221b5103