yarascanner/main.go

package main

import (
	"encoding/json"
	"github.com/go-chi/chi"
	"github.com/hillu/go-yara/v4"
	"github.com/package-url/packageurl-go"
	log "github.com/sirupsen/logrus"
	"github.com/spf13/viper"
	"io"
	"net/http"
	"os"
	"os/signal"
	"runtime"
	"strings"
	"sync"
	"syscall"
	"time"
)

type callbackFunc func(rules yara.MatchRules)

type Job struct {
	Data     io.ReadCloser
	Callback callbackFunc
}

var (
	client *http.Client

	jobChan = make(chan *Job)
)

func main() {
	viper.SetDefault("threads", runtime.NumCPU())
	viper.SetDefault("rules", "pkg:github/Neo23x0/signature-base#yara")
	viper.SetDefault("bind", ":8080")

	viper.AutomaticEnv()

	client = &http.Client{
		Timeout: 15 * time.Second,
	}

	if viper.GetBool("debug") {
		log.SetLevel(log.DebugLevel)
	}

	c, err := yara.NewCompiler()

	if err != nil {
		log.WithError(err).Fatal("Unable to setup new compiler")
	}

	c.DefineVariable("filename", "")
	c.DefineVariable("filepath", "")
	c.DefineVariable("extension", "")
	c.DefineVariable("filetype", "")

	log.Info("Loading rules")

	loadRules(c)

	rules, err := c.GetRules()

	if err != nil {
		log.WithError(err).Fatal("Unable to compile rules")
	}

	threads := viper.GetInt("threads")

	log.WithField("workers", threads).Info("Starting workers")

	for i := 0; i < threads; i++ {
		go worker(rules)
	}

	r := chi.NewRouter()

	r.Post("/scan", scanHandler)

	bind := viper.GetString("bind")

	log.WithField("bind", bind).Info("Binding to address")

	go http.ListenAndServe(bind, r)

	ch := make(chan os.Signal)

	signal.Notify(ch, syscall.SIGKILL, syscall.SIGTERM, syscall.SIGINT)

	<-ch
}

// HTTP handler for scanning files
func scanHandler(w http.ResponseWriter, r *http.Request) {
	contentType := r.Header.Get("Content-Type")

	if idx := strings.Index(contentType, ";"); idx != -1 {
		contentType = contentType[0:idx]
	}

	switch contentType {
	case "multipart/form-data":
		if r.MultipartForm == nil {
			r.ParseMultipartForm(32 << 20)
		}

		wg := &sync.WaitGroup{}

		results := make([]yara.MatchRules, 0)

		jobCallback := func(m yara.MatchRules) {
			results = append(results, m)
			wg.Done()
		}

		log.WithField("contentType", contentType).Debug("Adding files from multipart form as jobs")

		fileCount := 0

		for _, files := range r.MultipartForm.File {
			// Append files
			for _, file := range files {
				wg.Add(1)

				fileCount++

				f, err := file.Open()

				if err != nil {
					continue
				}

				job := &Job{
					Data:     f,
					Callback: jobCallback,
				}

				jobChan <- job
			}
		}

		log.WithField("count", fileCount).Debug("Waiting for jobs to finish")

		wg.Wait()

		json.NewEncoder(w).Encode(results)
	default:
		job := &Job{
			Data: r.Body,
			Callback: func(m yara.MatchRules) {
				json.NewEncoder(w).Encode(m)
			},
		}

		log.WithField("contentType", contentType).Debug("Scanning contents of body")

		jobChan <- job
	}
}

// Load rules from the rules configuration option
func loadRules(c *yara.Compiler) {
	rulePaths := strings.Split(viper.GetString("rules"), ",")

	for _, p := range rulePaths {
		log.WithField("package", p).Info("Loading rules from package")

		instance, err := packageurl.FromString(p)

		if err != nil {
			log.WithFields(log.Fields{
				"error":   err,
				"package": p,
			}).Fatalln("Invalid rule URL")
		}

		switch instance.Type {
		case "git", "bitbucket", "github", "gitlab":
			err = loadRulesFromGit(instance, c)
		case "http", "https":
			err = loadRulesFromHttp(instance, c)
		}

		if err != nil {
			log.WithFields(log.Fields{
				"error":   err,
				"package": p,
			}).Fatalln("Unable to load rules")
		}
	}
}

// Load rules from http(s)
// TODO: Support archive files alongside standard yar files
func loadRulesFromHttp(pkg packageurl.PackageURL, c *yara.Compiler) error {
	res, err := client.Get(pkg.Name)

	if err != nil {
		return err
	}

	defer res.Body.Close()

	b, err := io.ReadAll(res.Body)

	if err != nil {
		return err
	}

	return c.AddString(string(b), "")
}

// A worker routine. Creates a new scanner instance and pulls jobs.
func worker(rules *yara.Rules) {
	s, err := yara.NewScanner(rules)

	if err != nil {
		panic(err)
	}

	for {
		job := <-jobChan

		log.Debug("Processing job")

		processJob(s, job)
	}
}

func processJob(s *yara.Scanner, job *Job) {
	var m yara.MatchRules

	defer job.Data.Close()

	b, err := io.ReadAll(job.Data)

	if err != nil {
		return
	}

	err = s.SetCallback(&m).ScanMem(b)

	if err != nil {
		return
	}

	// Respond with job
	if len(m) < 1 {
		return
	}

	job.Callback(m)
}
first commit 2021-02-25 02:46:02 +00:00			`package main`

			`import (`
			`"encoding/json"`
Change to HTTP microservice, use proper git/etc for loading packages 2021-03-07 04:32:49 +00:00			`"github.com/go-chi/chi"`
Use Yara 4.0.5, update api 2021-02-25 03:00:39 +00:00			`"github.com/hillu/go-yara/v4"`
Change to HTTP microservice, use proper git/etc for loading packages 2021-03-07 04:32:49 +00:00			`"github.com/package-url/packageurl-go"`
first commit 2021-02-25 02:46:02 +00:00			`log "github.com/sirupsen/logrus"`
			`"github.com/spf13/viper"`
			`"io"`
			`"net/http"`
			`"os"`
			`"os/signal"`
			`"runtime"`
			`"strings"`
Change to HTTP microservice, use proper git/etc for loading packages 2021-03-07 04:32:49 +00:00			`"sync"`
first commit 2021-02-25 02:46:02 +00:00			`"syscall"`
			`"time"`
			`)`

Change to HTTP microservice, use proper git/etc for loading packages 2021-03-07 04:32:49 +00:00			`type callbackFunc func(rules yara.MatchRules)`

first commit 2021-02-25 02:46:02 +00:00			`type Job struct {`
Change to HTTP microservice, use proper git/etc for loading packages 2021-03-07 04:32:49 +00:00			`Data io.ReadCloser`
			`Callback callbackFunc`
first commit 2021-02-25 02:46:02 +00:00			`}`

			`var (`
			`client *http.Client`
Change to HTTP microservice, use proper git/etc for loading packages 2021-03-07 04:32:49 +00:00
			`jobChan = make(chan *Job)`
first commit 2021-02-25 02:46:02 +00:00			`)`

			`func main() {`
			`viper.SetDefault("threads", runtime.NumCPU())`
Change to HTTP microservice, use proper git/etc for loading packages 2021-03-07 04:32:49 +00:00			`viper.SetDefault("rules", "pkg:github/Neo23x0/signature-base#yara")`
Add bind debug 2021-03-07 05:03:48 +00:00			`viper.SetDefault("bind", ":8080")`
first commit 2021-02-25 02:46:02 +00:00
			`viper.AutomaticEnv()`

			`client = &http.Client{`
			`Timeout: 15 * time.Second,`
			`}`

Add debug setting 2021-03-07 05:07:06 +00:00			`if viper.GetBool("debug") {`
			`log.SetLevel(log.DebugLevel)`
			`}`

first commit 2021-02-25 02:46:02 +00:00			`c, err := yara.NewCompiler()`

			`if err != nil {`
			`log.WithError(err).Fatal("Unable to setup new compiler")`
			`}`

Add other variables for empty settings 2021-03-07 04:48:25 +00:00			`c.DefineVariable("filename", "")`
Define filepath as empty string 2021-03-07 04:47:15 +00:00			`c.DefineVariable("filepath", "")`
Add other variables for empty settings 2021-03-07 04:48:25 +00:00			`c.DefineVariable("extension", "")`
			`c.DefineVariable("filetype", "")`
Define filepath as empty string 2021-03-07 04:47:15 +00:00
Additional messages for debugging 2021-03-07 04:52:50 +00:00			`log.Info("Loading rules")`

first commit 2021-02-25 02:46:02 +00:00			`loadRules(c)`

			`rules, err := c.GetRules()`

			`if err != nil {`
			`log.WithError(err).Fatal("Unable to compile rules")`
			`}`

			`threads := viper.GetInt("threads")`

			`log.WithField("workers", threads).Info("Starting workers")`

			`for i := 0; i < threads; i++ {`
Change to HTTP microservice, use proper git/etc for loading packages 2021-03-07 04:32:49 +00:00			`go worker(rules)`
first commit 2021-02-25 02:46:02 +00:00			`}`

Change to HTTP microservice, use proper git/etc for loading packages 2021-03-07 04:32:49 +00:00			`r := chi.NewRouter()`
first commit 2021-02-25 02:46:02 +00:00
Change to HTTP microservice, use proper git/etc for loading packages 2021-03-07 04:32:49 +00:00			`r.Post("/scan", scanHandler)`
first commit 2021-02-25 02:46:02 +00:00
Add bind debug 2021-03-07 05:03:48 +00:00			`bind := viper.GetString("bind")`

			`log.WithField("bind", bind).Info("Binding to address")`

			`go http.ListenAndServe(bind, r)`
first commit 2021-02-25 02:46:02 +00:00
			`ch := make(chan os.Signal)`

			`signal.Notify(ch, syscall.SIGKILL, syscall.SIGTERM, syscall.SIGINT)`

Use Yara 4.0.5, update api 2021-02-25 03:00:39 +00:00			`<-ch`
first commit 2021-02-25 02:46:02 +00:00			`}`

Change to HTTP microservice, use proper git/etc for loading packages 2021-03-07 04:32:49 +00:00			`// HTTP handler for scanning files`
			`func scanHandler(w http.ResponseWriter, r *http.Request) {`
			`contentType := r.Header.Get("Content-Type")`
first commit 2021-02-25 02:46:02 +00:00
Change to HTTP microservice, use proper git/etc for loading packages 2021-03-07 04:32:49 +00:00			`if idx := strings.Index(contentType, ";"); idx != -1 {`
			`contentType = contentType[0:idx]`
			`}`
first commit 2021-02-25 02:46:02 +00:00
Change to HTTP microservice, use proper git/etc for loading packages 2021-03-07 04:32:49 +00:00			`switch contentType {`
			`case "multipart/form-data":`
			`if r.MultipartForm == nil {`
			`r.ParseMultipartForm(32 << 20)`
first commit 2021-02-25 02:46:02 +00:00			`}`

Change to HTTP microservice, use proper git/etc for loading packages 2021-03-07 04:32:49 +00:00			`wg := &sync.WaitGroup{}`
first commit 2021-02-25 02:46:02 +00:00
Change to HTTP microservice, use proper git/etc for loading packages 2021-03-07 04:32:49 +00:00			`results := make([]yara.MatchRules, 0)`
first commit 2021-02-25 02:46:02 +00:00
Change to HTTP microservice, use proper git/etc for loading packages 2021-03-07 04:32:49 +00:00			`jobCallback := func(m yara.MatchRules) {`
			`results = append(results, m)`
			`wg.Done()`
first commit 2021-02-25 02:46:02 +00:00			`}`

More debugging! 2021-03-07 05:02:55 +00:00			`log.WithField("contentType", contentType).Debug("Adding files from multipart form as jobs")`

			`fileCount := 0`

Change to HTTP microservice, use proper git/etc for loading packages 2021-03-07 04:32:49 +00:00			`for _, files := range r.MultipartForm.File {`
			`// Append files`
			`for _, file := range files {`
			`wg.Add(1)`
first commit 2021-02-25 02:46:02 +00:00
More debugging! 2021-03-07 05:02:55 +00:00			`fileCount++`

Change to HTTP microservice, use proper git/etc for loading packages 2021-03-07 04:32:49 +00:00			`f, err := file.Open()`
first commit 2021-02-25 02:46:02 +00:00
Change to HTTP microservice, use proper git/etc for loading packages 2021-03-07 04:32:49 +00:00			`if err != nil {`
			`continue`
			`}`
first commit 2021-02-25 02:46:02 +00:00
Change to HTTP microservice, use proper git/etc for loading packages 2021-03-07 04:32:49 +00:00			`job := &Job{`
			`Data: f,`
			`Callback: jobCallback,`
			`}`
first commit 2021-02-25 02:46:02 +00:00
Change to HTTP microservice, use proper git/etc for loading packages 2021-03-07 04:32:49 +00:00			`jobChan <- job`
			`}`
first commit 2021-02-25 02:46:02 +00:00			`}`

More debugging! 2021-03-07 05:02:55 +00:00			`log.WithField("count", fileCount).Debug("Waiting for jobs to finish")`

Change to HTTP microservice, use proper git/etc for loading packages 2021-03-07 04:32:49 +00:00			`wg.Wait()`
first commit 2021-02-25 02:46:02 +00:00
Change to HTTP microservice, use proper git/etc for loading packages 2021-03-07 04:32:49 +00:00			`json.NewEncoder(w).Encode(results)`
			`default:`
			`job := &Job{`
			`Data: r.Body,`
			`Callback: func(m yara.MatchRules) {`
			`json.NewEncoder(w).Encode(m)`
			`},`
			`}`
first commit 2021-02-25 02:46:02 +00:00
More debugging! 2021-03-07 05:02:55 +00:00			`log.WithField("contentType", contentType).Debug("Scanning contents of body")`

Change to HTTP microservice, use proper git/etc for loading packages 2021-03-07 04:32:49 +00:00			`jobChan <- job`
first commit 2021-02-25 02:46:02 +00:00			`}`
Change to HTTP microservice, use proper git/etc for loading packages 2021-03-07 04:32:49 +00:00			`}`
first commit 2021-02-25 02:46:02 +00:00
Change to HTTP microservice, use proper git/etc for loading packages 2021-03-07 04:32:49 +00:00			`// Load rules from the rules configuration option`
			`func loadRules(c *yara.Compiler) {`
			`rulePaths := strings.Split(viper.GetString("rules"), ",")`
first commit 2021-02-25 02:46:02 +00:00
Change to HTTP microservice, use proper git/etc for loading packages 2021-03-07 04:32:49 +00:00			`for _, p := range rulePaths {`
Additional messages for debugging 2021-03-07 04:52:50 +00:00			`log.WithField("package", p).Info("Loading rules from package")`

Change to HTTP microservice, use proper git/etc for loading packages 2021-03-07 04:32:49 +00:00			`instance, err := packageurl.FromString(p)`
first commit 2021-02-25 02:46:02 +00:00
Change to HTTP microservice, use proper git/etc for loading packages 2021-03-07 04:32:49 +00:00			`if err != nil {`
			`log.WithFields(log.Fields{`
			`"error": err,`
			`"package": p,`
			`}).Fatalln("Invalid rule URL")`
			`}`
first commit 2021-02-25 02:46:02 +00:00
Change to HTTP microservice, use proper git/etc for loading packages 2021-03-07 04:32:49 +00:00			`switch instance.Type {`
			`case "git", "bitbucket", "github", "gitlab":`
			`err = loadRulesFromGit(instance, c)`
			`case "http", "https":`
			`err = loadRulesFromHttp(instance, c)`
			`}`
first commit 2021-02-25 02:46:02 +00:00
Change to HTTP microservice, use proper git/etc for loading packages 2021-03-07 04:32:49 +00:00			`if err != nil {`
			`log.WithFields(log.Fields{`
			`"error": err,`
			`"package": p,`
			`}).Fatalln("Unable to load rules")`
			`}`
first commit 2021-02-25 02:46:02 +00:00			`}`
Change to HTTP microservice, use proper git/etc for loading packages 2021-03-07 04:32:49 +00:00			`}`
first commit 2021-02-25 02:46:02 +00:00
Change to HTTP microservice, use proper git/etc for loading packages 2021-03-07 04:32:49 +00:00			`// Load rules from http(s)`
			`// TODO: Support archive files alongside standard yar files`
			`func loadRulesFromHttp(pkg packageurl.PackageURL, c *yara.Compiler) error {`
			`res, err := client.Get(pkg.Name)`
first commit 2021-02-25 02:46:02 +00:00
			`if err != nil {`
Change to HTTP microservice, use proper git/etc for loading packages 2021-03-07 04:32:49 +00:00			`return err`
first commit 2021-02-25 02:46:02 +00:00			`}`

Change to HTTP microservice, use proper git/etc for loading packages 2021-03-07 04:32:49 +00:00			`defer res.Body.Close()`
first commit 2021-02-25 02:46:02 +00:00
Change to HTTP microservice, use proper git/etc for loading packages 2021-03-07 04:32:49 +00:00			`b, err := io.ReadAll(res.Body)`
first commit 2021-02-25 02:46:02 +00:00
Change to HTTP microservice, use proper git/etc for loading packages 2021-03-07 04:32:49 +00:00			`if err != nil {`
			`return err`
first commit 2021-02-25 02:46:02 +00:00			`}`
Change to HTTP microservice, use proper git/etc for loading packages 2021-03-07 04:32:49 +00:00
			`return c.AddString(string(b), "")`
first commit 2021-02-25 02:46:02 +00:00			`}`

Change to HTTP microservice, use proper git/etc for loading packages 2021-03-07 04:32:49 +00:00			`// A worker routine. Creates a new scanner instance and pulls jobs.`
			`func worker(rules *yara.Rules) {`
first commit 2021-02-25 02:46:02 +00:00			`s, err := yara.NewScanner(rules)`

			`if err != nil {`
			`panic(err)`
			`}`

			`for {`
Change to HTTP microservice, use proper git/etc for loading packages 2021-03-07 04:32:49 +00:00			`job := <-jobChan`
first commit 2021-02-25 02:46:02 +00:00
More debugging! 2021-03-07 05:02:55 +00:00			`log.Debug("Processing job")`

first commit 2021-02-25 02:46:02 +00:00			`processJob(s, job)`
			`}`
			`}`

Change to HTTP microservice, use proper git/etc for loading packages 2021-03-07 04:32:49 +00:00			`func processJob(s yara.Scanner, job Job) {`
Use Yara 4.0.5, update api 2021-02-25 03:00:39 +00:00			`var m yara.MatchRules`

Change to HTTP microservice, use proper git/etc for loading packages 2021-03-07 04:32:49 +00:00			`defer job.Data.Close()`
first commit 2021-02-25 02:46:02 +00:00
Change to HTTP microservice, use proper git/etc for loading packages 2021-03-07 04:32:49 +00:00			`b, err := io.ReadAll(job.Data)`
first commit 2021-02-25 02:46:02 +00:00
Change to HTTP microservice, use proper git/etc for loading packages 2021-03-07 04:32:49 +00:00			`if err != nil {`
first commit 2021-02-25 02:46:02 +00:00			`return`
			`}`

Change to HTTP microservice, use proper git/etc for loading packages 2021-03-07 04:32:49 +00:00			`err = s.SetCallback(&m).ScanMem(b)`
first commit 2021-02-25 02:46:02 +00:00
			`if err != nil {`
			`return`
			`}`

Change to HTTP microservice, use proper git/etc for loading packages 2021-03-07 04:32:49 +00:00			`// Respond with job`
			`if len(m) < 1 {`
first commit 2021-02-25 02:46:02 +00:00			`return`
			`}`

Ensure job callback is called 2021-03-07 04:56:53 +00:00			`job.Callback(m)`
Use Yara 4.0.5, update api 2021-02-25 03:00:39 +00:00			`}`