Yara is a rule based scanning engine aimed to help malware analysts in finding and
classifying interesting samples.
https://github.com/VirusTotal/yara
This series adds Yara support to Libguestfs allowing to upload sets of rules and scanning
files against them.
Currently provided APIs:
- yara_load: loads a set of rules
- yara_destroy: free resources allocated by loaded rules
- yara_scan: scans a file with the loaded rules
Future APIs:
- yara_scan_recursive: scan the entire FS starting from the given point (could it be a
flag in yara_scan?)
- yara_scan_inode: use TSK to scan files by inodes allowing to scan deleted or hidden
files
Code ready for review, available here:
https://github.com/noxdafox/libguestfs/tree/yara
Matteo Cafasso (6):
appliance: add libyara dependency
New API: yara_load
New API: yara_destroy
New API: internal_yara_scan
New API: yara_scan
yara_scan: added API tests
appliance/packagelist.in | 1 +
configure.ac | 1 +
daemon/Makefile.am | 4 +-
daemon/yara.c | 318 +++++++++++++++++++++++++++++++
generator/actions.ml | 59 ++++++
generator/structs.ml | 9 +
gobject/Makefile.inc | 2 +
java/Makefile.inc | 1 +
java/com/redhat/et/libguestfs/.gitignore | 1 +
m4/guestfs_daemon.m4 | 8 +
src/MAX_PROC_NR | 2 +-
src/Makefile.am | 1 +
src/yara.c | 140 ++++++++++++++
tests/yara/Makefile.am | 26 +++
tests/yara/test-yara-scan.sh | 72 +++++++
15 files changed, 643 insertions(+), 2 deletions(-)
create mode 100644 daemon/yara.c
create mode 100644 src/yara.c
create mode 100644 tests/yara/Makefile.am
create mode 100755 tests/yara/test-yara-scan.sh
--
2.10.1