tjnel/certgraveyard_yara

# CertGraveyard YARA 规则生成器 [](https://github.com/Naereen/StrapDown.js/blob/master/LICENSE) [](https://www.python.org/) 基于 [CertGraveyard](https://certgraveyard.org) 被入侵证书数据库自动生成 YARA 规则。 ## 功能特性 - 🔄 **每日更新**：自动检查 CertGraveyard 中是否有新的被入侵证书 - 📝 **YARA 规则生成**：为每个证书创建单独的 YARA 规则 - ✅ **验证**：使用 yara-python 验证所有规则 - 📦 **发布管理**：通过合并的规则集和 ZIP 归档进行自动发布 - 📋 **变更日志**：维护所有添加和修改的详细变更日志 ## 快速开始 ### 安装 ``` # 克隆 repository git clone https://github.com/tjnel/certgraveyard_yara.git cd certgraveyard_yara # 使用 UV 安装 uv sync --all-extras ``` ### 使用 ``` # 从 CertGraveyard 下载最新 CSV cert-graveyard-yara download # 检查 CSV 是否已更改 cert-graveyard-yara check-changed # 生成 YARA 规则 cert-graveyard-yara generate # 验证规则 cert-graveyard-yara validate --engine yara # 创建合并文件和 ZIP archive cert-graveyard-yara combine cert-graveyard-yara package # 运行完整 pipeline cert-graveyard-yara run --all ``` ### 使用生成的规则 下载最新版本或直接使用规则： ``` # 使用合并 ruleset 扫描 yara rules/combined/MAL_Compromised_Cert_*.yara /path/to/scan # 或使用单独规则 yara rules/individual/*.yara /path/to/scan ``` ## 项目结构 ``` cert-graveyard-yara/ ├── .github/workflows/ # GitHub Actions │ ├── daily-update.yml # Daily CSV check and rule generation │ ├── ci.yml # PR validation and testing │ └── release.yml # Release creation ├── src/cert_graveyard_yara/ # Source code │ ├── __init__.py │ ├── downloader.py # CSV download and caching │ ├── parser.py # CSV parsing │ ├── generator.py # YARA rule generation │ ├── validator.py # Rule validation │ ├── changelog.py # Changelog management │ └── cli.py # Command-line interface ├── tests/ # Test suite ├── rules/ │ ├── individual/ # Individual YARA rule files │ └── combined/ # Combined release files ├── data/ # CSV data and hash files ├── templates/ # Jinja2 templates └── CHANGELOG.md ``` ## 生成规则格式 每条规则遵循以下格式： ``` import "pe" rule MAL_Compromised_Cert_Emotet_DigiCert_0a_1b_2c_3d { meta: description = "Detects malware Emotet using compromised certificate..." author = "TNEL (https://github.com/tjnel/certgraveyard_yara)" reference = "https://certgraveyard.org" hash = "a1b2c3d4..." malware = "Emotet" malware_type = "Trojan" cert_issuer = "DigiCert SHA2 Assured ID Code Signing CA" cert_serial = "0a:1b:2c:3d" cert_valid_from = "2024-01-15" cert_valid_to = "2025-01-15" condition: uint16(0) == 0x5a4d and for any sig in pe.signatures : ( sig.issuer contains "DigiCert SHA2 Assured ID Code Signing CA" and sig.serial == "0a:1b:2c:3d" ) } ``` ## 开发 ### 设置开发环境 ``` # 安装 dev dependencies uv sync --all-extras # 运行 linting uv run ruff check src tests # 运行 type checking uv run mypy src # 运行测试 uv run pytest ``` ### 运行测试 ``` # 运行所有 tests 并包含 coverage uv run pytest # 运行特定 test 文件 uv run pytest tests/test_generator.py # 运行并显示详细输出 uv run pytest -v ``` ## CLI 命令 | 命令 | 描述 | |---------|-------------| | `download` | 从 CertGraveyard 下载 CSV | | `check-changed` | 检查自上次运行以来 CSV 是否已更改 | | `generate` | 从 CSV 生成 YARA 规则 | | `validate` | 验证 YARA 规则 | | `changelog` | 更新变更日志 | | `combine` | 创建合并的 YARA 文件 | | `package` | 创建规则的 ZIP 归档 | | `run` | 运行完整流程 | ## 配置 ### 环境变量 | 变量 | 描述 | 默认值 | |----------|-------------|---------| | `CERTGRAVEYARD_URL` | CSV 下载 URL | `https://certgraveyard.org/api/download_csv` | ## 许可证 MIT 许可证 - 详见 [LICENSE](LICENSE)。 ## 致谢 - [CertGraveyard](https://certgraveyard.org) 提供被入侵证书数据库 - [YARA](https://virustotal.github.io/yara/) 提供模式匹配引擎

标签：AMSI绕过, CertGraveyard, CT日志, DAST, DNS信息、DNS暴力破解, DNS 解析, GitHub Actions, IOC, Python, TLS证书, YARA规则, 代码签名, 域名收集, 失陷指标, 威胁检测, 安全扫描, 恶意软件分析, 数字证书, 无后门, 时序注入, 签名生成, 网络安全, 自动笔记, 规则验证, 证书分析, 证书透明度, 误配置预防, 逆向工具, 隐私保护