Use Yara 4.0.5, update api
continuous-integration/drone/push Build is passing
Details
continuous-integration/drone/push Build is passing
Details
This commit is contained in:
parent
ed71b46945
commit
75e9a42a51
|
@ -2,10 +2,10 @@ FROM golang:alpine AS builder
|
||||||
|
|
||||||
RUN mkdir -p /build/src
|
RUN mkdir -p /build/src
|
||||||
|
|
||||||
ADD https://github.com/VirusTotal/yara/archive/v4.0.5.tar.gz /build/yara-4.0.5.tar.gz
|
ADD https://github.com/VirusTotal/yara/archive/v4.0.4.tar.gz /build/yara-4.0.4.tar.gz
|
||||||
|
|
||||||
RUN apk add --no-cache autoconf automake libtool make gcc g++ openssl-dev pkgconfig
|
RUN apk add --no-cache autoconf automake libtool make gcc g++ openssl-dev pkgconfig
|
||||||
RUN cd /build; tar xvf yara-4.0.5.tar.gz; cd yara-4.0.5; ./bootstrap.sh; ./configure; make; make install
|
RUN cd /build; tar xvf yara-4.0.4.tar.gz; cd yara-4.0.4; ./bootstrap.sh; ./configure; make; make install
|
||||||
|
|
||||||
ADD . /build/src
|
ADD . /build/src
|
||||||
|
|
||||||
|
|
2
go.mod
2
go.mod
|
@ -4,7 +4,7 @@ go 1.16
|
||||||
|
|
||||||
require (
|
require (
|
||||||
github.com/beanstalkd/go-beanstalk v0.1.0
|
github.com/beanstalkd/go-beanstalk v0.1.0
|
||||||
github.com/hillu/go-yara v1.3.0
|
github.com/hillu/go-yara/v4 v4.0.4
|
||||||
github.com/sirupsen/logrus v1.8.0
|
github.com/sirupsen/logrus v1.8.0
|
||||||
github.com/spf13/afero v1.5.1
|
github.com/spf13/afero v1.5.1
|
||||||
github.com/spf13/viper v1.7.1
|
github.com/spf13/viper v1.7.1
|
||||||
|
|
4
go.sum
4
go.sum
|
@ -94,8 +94,8 @@ github.com/hashicorp/logutils v1.0.0/go.mod h1:QIAnNjmIWmVIIkWDTG1z5v++HQmx9WQRO
|
||||||
github.com/hashicorp/mdns v1.0.0/go.mod h1:tL+uN++7HEJ6SQLQ2/p+z2pH24WQKWjBPkE0mNTz8vQ=
|
github.com/hashicorp/mdns v1.0.0/go.mod h1:tL+uN++7HEJ6SQLQ2/p+z2pH24WQKWjBPkE0mNTz8vQ=
|
||||||
github.com/hashicorp/memberlist v0.1.3/go.mod h1:ajVTdAv/9Im8oMAAj5G31PhhMCZJV2pPBoIllUwCN7I=
|
github.com/hashicorp/memberlist v0.1.3/go.mod h1:ajVTdAv/9Im8oMAAj5G31PhhMCZJV2pPBoIllUwCN7I=
|
||||||
github.com/hashicorp/serf v0.8.2/go.mod h1:6hOLApaqBFA1NXqRQAsxw9QxuDEvNxSQRwA/JwenrHc=
|
github.com/hashicorp/serf v0.8.2/go.mod h1:6hOLApaqBFA1NXqRQAsxw9QxuDEvNxSQRwA/JwenrHc=
|
||||||
github.com/hillu/go-yara v1.3.0 h1:d9HklhWmCY9M/2dnFxYbNXDOFDid3HPGw53hdVk4Urg=
|
github.com/hillu/go-yara/v4 v4.0.4 h1:DxKUyCwk6BG2SONtvkpeuYOdjmHMZ5ybqLdaH2POLRw=
|
||||||
github.com/hillu/go-yara v1.3.0/go.mod h1:KLxCsvD3F8cgVK866UDHi961qbzP+twKjhNdDsuz/2M=
|
github.com/hillu/go-yara/v4 v4.0.4/go.mod h1:rkb/gSAoO8qcmj+pv6fDZN4tOa3N7R+qqGlEkzT4iys=
|
||||||
github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo=
|
github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo=
|
||||||
github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
|
github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
|
||||||
github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
|
github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
|
||||||
|
|
22
main.go
22
main.go
|
@ -5,7 +5,7 @@ import (
|
||||||
"encoding/json"
|
"encoding/json"
|
||||||
"errors"
|
"errors"
|
||||||
"github.com/beanstalkd/go-beanstalk"
|
"github.com/beanstalkd/go-beanstalk"
|
||||||
"github.com/hillu/go-yara"
|
"github.com/hillu/go-yara/v4"
|
||||||
log "github.com/sirupsen/logrus"
|
log "github.com/sirupsen/logrus"
|
||||||
"github.com/spf13/afero"
|
"github.com/spf13/afero"
|
||||||
"github.com/spf13/afero/zipfs"
|
"github.com/spf13/afero/zipfs"
|
||||||
|
@ -25,7 +25,7 @@ import (
|
||||||
|
|
||||||
type Job struct {
|
type Job struct {
|
||||||
PasteID string
|
PasteID string
|
||||||
Data []byte
|
Data []byte
|
||||||
}
|
}
|
||||||
|
|
||||||
var (
|
var (
|
||||||
|
@ -80,7 +80,7 @@ func main() {
|
||||||
|
|
||||||
signal.Notify(ch, syscall.SIGKILL, syscall.SIGTERM, syscall.SIGINT)
|
signal.Notify(ch, syscall.SIGKILL, syscall.SIGTERM, syscall.SIGINT)
|
||||||
|
|
||||||
<- ch
|
<-ch
|
||||||
}
|
}
|
||||||
|
|
||||||
func loadRules(c *yara.Compiler) {
|
func loadRules(c *yara.Compiler) {
|
||||||
|
@ -180,7 +180,7 @@ func watchQueue(c *beanstalk.Conn, jobChan chan Job) {
|
||||||
}
|
}
|
||||||
|
|
||||||
log.WithFields(log.Fields{
|
log.WithFields(log.Fields{
|
||||||
"id": id,
|
"id": id,
|
||||||
"body": body,
|
"body": body,
|
||||||
}).Debug("Handling job")
|
}).Debug("Handling job")
|
||||||
|
|
||||||
|
@ -202,25 +202,27 @@ func worker(rules *yara.Rules, jobs chan Job) {
|
||||||
}
|
}
|
||||||
|
|
||||||
for {
|
for {
|
||||||
job := <- jobs
|
job := <-jobs
|
||||||
|
|
||||||
processJob(s, job)
|
processJob(s, job)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func processJob(s *yara.Scanner, job Job) {
|
func processJob(s *yara.Scanner, job Job) {
|
||||||
matched, err := s.ScanMem(job.Data)
|
var m yara.MatchRules
|
||||||
|
|
||||||
|
err := s.SetCallback(&m).ScanMem(job.Data)
|
||||||
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
// Respond with job
|
// Respond with job
|
||||||
if len(matched) < 1 {
|
if len(m) < 1 {
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
quarantine(job.PasteID, matched[0].Rule)
|
quarantine(job.PasteID, m[0].Rule)
|
||||||
}
|
}
|
||||||
|
|
||||||
func quarantine(pasteId, reason string) {
|
func quarantine(pasteId, reason string) {
|
||||||
|
@ -228,7 +230,7 @@ func quarantine(pasteId, reason string) {
|
||||||
|
|
||||||
v.Set("reason", reason)
|
v.Set("reason", reason)
|
||||||
|
|
||||||
req, err := http.NewRequest(http.MethodPost, viper.GetString("pasteUrl") + "/admin/quarantine/" + pasteId, nil)
|
req, err := http.NewRequest(http.MethodPost, viper.GetString("pasteUrl")+"/admin/quarantine/"+pasteId, nil)
|
||||||
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return
|
return
|
||||||
|
@ -241,4 +243,4 @@ func quarantine(pasteId, reason string) {
|
||||||
}
|
}
|
||||||
|
|
||||||
defer res.Body.Close()
|
defer res.Body.Close()
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue