From 75e9a42a513cdf646e9efb7d08ccaedf332e8748 Mon Sep 17 00:00:00 2001 From: Tyler Date: Wed, 24 Feb 2021 22:00:39 -0500 Subject: [PATCH] Use Yara 4.0.5, update api --- Dockerfile | 4 ++-- go.mod | 2 +- go.sum | 4 ++-- main.go | 22 ++++++++++++---------- 4 files changed, 17 insertions(+), 15 deletions(-) diff --git a/Dockerfile b/Dockerfile index f4cf757..b45f2a0 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,10 +2,10 @@ FROM golang:alpine AS builder RUN mkdir -p /build/src -ADD https://github.com/VirusTotal/yara/archive/v4.0.5.tar.gz /build/yara-4.0.5.tar.gz +ADD https://github.com/VirusTotal/yara/archive/v4.0.4.tar.gz /build/yara-4.0.4.tar.gz RUN apk add --no-cache autoconf automake libtool make gcc g++ openssl-dev pkgconfig -RUN cd /build; tar xvf yara-4.0.5.tar.gz; cd yara-4.0.5; ./bootstrap.sh; ./configure; make; make install +RUN cd /build; tar xvf yara-4.0.4.tar.gz; cd yara-4.0.4; ./bootstrap.sh; ./configure; make; make install ADD . /build/src diff --git a/go.mod b/go.mod index 7c83f95..0bad021 100644 --- a/go.mod +++ b/go.mod @@ -4,7 +4,7 @@ go 1.16 require ( github.com/beanstalkd/go-beanstalk v0.1.0 - github.com/hillu/go-yara v1.3.0 + github.com/hillu/go-yara/v4 v4.0.4 github.com/sirupsen/logrus v1.8.0 github.com/spf13/afero v1.5.1 github.com/spf13/viper v1.7.1 diff --git a/go.sum b/go.sum index 0a8e5f7..40ddbe1 100644 --- a/go.sum +++ b/go.sum @@ -94,8 +94,8 @@ github.com/hashicorp/logutils v1.0.0/go.mod h1:QIAnNjmIWmVIIkWDTG1z5v++HQmx9WQRO github.com/hashicorp/mdns v1.0.0/go.mod h1:tL+uN++7HEJ6SQLQ2/p+z2pH24WQKWjBPkE0mNTz8vQ= github.com/hashicorp/memberlist v0.1.3/go.mod h1:ajVTdAv/9Im8oMAAj5G31PhhMCZJV2pPBoIllUwCN7I= github.com/hashicorp/serf v0.8.2/go.mod h1:6hOLApaqBFA1NXqRQAsxw9QxuDEvNxSQRwA/JwenrHc= -github.com/hillu/go-yara v1.3.0 h1:d9HklhWmCY9M/2dnFxYbNXDOFDid3HPGw53hdVk4Urg= -github.com/hillu/go-yara v1.3.0/go.mod h1:KLxCsvD3F8cgVK866UDHi961qbzP+twKjhNdDsuz/2M= +github.com/hillu/go-yara/v4 v4.0.4 h1:DxKUyCwk6BG2SONtvkpeuYOdjmHMZ5ybqLdaH2POLRw= +github.com/hillu/go-yara/v4 v4.0.4/go.mod h1:rkb/gSAoO8qcmj+pv6fDZN4tOa3N7R+qqGlEkzT4iys= github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo= github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU= diff --git a/main.go b/main.go index 469c9cd..c5ecdce 100644 --- a/main.go +++ b/main.go @@ -5,7 +5,7 @@ import ( "encoding/json" "errors" "github.com/beanstalkd/go-beanstalk" - "github.com/hillu/go-yara" + "github.com/hillu/go-yara/v4" log "github.com/sirupsen/logrus" "github.com/spf13/afero" "github.com/spf13/afero/zipfs" @@ -25,7 +25,7 @@ import ( type Job struct { PasteID string - Data []byte + Data []byte } var ( @@ -80,7 +80,7 @@ func main() { signal.Notify(ch, syscall.SIGKILL, syscall.SIGTERM, syscall.SIGINT) - <- ch + <-ch } func loadRules(c *yara.Compiler) { @@ -180,7 +180,7 @@ func watchQueue(c *beanstalk.Conn, jobChan chan Job) { } log.WithFields(log.Fields{ - "id": id, + "id": id, "body": body, }).Debug("Handling job") @@ -202,25 +202,27 @@ func worker(rules *yara.Rules, jobs chan Job) { } for { - job := <- jobs + job := <-jobs processJob(s, job) } } func processJob(s *yara.Scanner, job Job) { - matched, err := s.ScanMem(job.Data) + var m yara.MatchRules + + err := s.SetCallback(&m).ScanMem(job.Data) if err != nil { return } // Respond with job - if len(matched) < 1 { + if len(m) < 1 { return } - quarantine(job.PasteID, matched[0].Rule) + quarantine(job.PasteID, m[0].Rule) } func quarantine(pasteId, reason string) { @@ -228,7 +230,7 @@ func quarantine(pasteId, reason string) { v.Set("reason", reason) - req, err := http.NewRequest(http.MethodPost, viper.GetString("pasteUrl") + "/admin/quarantine/" + pasteId, nil) + req, err := http.NewRequest(http.MethodPost, viper.GetString("pasteUrl")+"/admin/quarantine/"+pasteId, nil) if err != nil { return @@ -241,4 +243,4 @@ func quarantine(pasteId, reason string) { } defer res.Body.Close() -} \ No newline at end of file +}