YARA Refactor and Option to Output Hexadecimal Offset Matching #391
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Describe the change
The previous implementation of YARA scanning in Strelka involved redundant rule and configuration loading, which affected performance. Additionally, the option to output the Hexadecimal Offset of matches provides a more in-depth view of rule matches and can assist in further analysis.
Hexadecimal Offset Matching
Users can now output the Hex offset in which a YARA match occurred. To reduce impact to the cluster, not all rules will perform this processing. Only rules with the proper meta tag will (see the
offset_meta_key
below for details). This is how the meta should look if you'd like to extract the match data.The output will look like this:
Additional Configuration Options
With this change, the following configuration options were added to the ScanYara config in the backend.yml:
store_offset: Determines whether to store the offset of YARA matches. Defaults to False.
offset_meta_key: Key to determine which metadata should trigger offset logging. Defaults to StrelkaHexDump
offset_padding: Defines the number of bytes to include as padding around the matched string in the hex dump. Defaults to 32.
Describe testing procedures
Developed and successfully Pytest with relevant fixture.
Sample output
Checklist