CybercentreCanada/CCCS-Yara
GitHub: CybercentreCanada/CCCS-Yara
加拿大网络安全中心推出的YARA规则元数据规范与自动验证工具,用于标准化检测规则的元数据格式并自动生成和校验ID、指纹及ATT&CK关联等关键属性。
Stars: 119 | Forks: 21
# 加拿大网络安全中心
## CCCS YARA 规范
[CCCS YARA 规范](https://github.com/CybercentreCanada/CCCS-Yara/blob/master/CCCS_YARA.yml) 旨在定义和验证 YARA 规则元数据的样式和格式。它带有一个 CLI,允许你自动验证和生成元数据(例如唯一 ID、规则指纹、来自 ATT&CK 的攻击者丰富信息)。
多年来,我们见过许多 YARA 规则;为了充分发挥它们的潜力,我们总是不得不修改一些与之相关的元数据,甚至是我们自己开发的规则。调整一些简单的元素,例如日期时间格式,并添加重要信息以帮助分析师。
你可以在 CI/CD pipeline 中利用它,在合并新规则之前自动验证并丰富你的 YARA 规则!
此规范还包含特定于 [MITRE ATT&CK framework](https://attack.mitre.org/matrices/enterprise/) 的字段,用于识别技术和通用的 [MITRE ATT&CK threat groups](https://attack.mitre.org/groups/)。
[AssemblyLine](https://www.cyber.gc.ca/en/assemblyline) 原生支持此规范,并将利用它在 YARA 签名命中时提供更多上下文。
[vscode-yara](https://github.com/infosec-intern/vscode-yara) 使用用户或工作区设置文件 `settings.json` 创建一个符合此规范的自定义元数据部分。有关示例,请参见 [settings.json](settings.json)。
## 示例规则
```
rule MemoryModule {
meta:
id = "6O9mUMvPhziJ72IXHf6muZ"
fingerprint = "4aa0a23f28698898404d700cb363ddf06dd275f5798815e797113656a2a40ae8"
version = "1.0"
date = "2020-05-06"
modified = "2020-05-06"
status = "RELEASED"
sharing = "TLP:WHITE"
source = "CCCS"
author = "analyst@CCCS"
description = "Yara rule to detect usage of MemoryModule Library"
category = "TECHNIQUE"
technique = "LOADER:MEMORYMODULE"
mitre_att = "T1129"
report = "TA20-0192"
hash = "812bbe8b9acabad05b08add50ee55c883e1f7998f3a7cae273d3f0d572a79adc"
strings:
$func_ptr = {55 8B EC 6A 00 68 [3] 00 68 [3] 00 68 [3] 00 68 [3] 00 68 [3] 00}
$func_ptr_64 = {48 [3] 48 [4] 00 00 00 00 48 8? [5] 48 8? [3] 4? 8? [5] 48 8? [3-5] 48 8?}
$api_1 = "LoadLibraryA"
$api_2 = "GetProcAddress"
$api_3 = "FreeLibrary"
$api_4 = "VirtualFree"
$api_5 = "VirtualProtect"
$api_6 = "VirtualAlloc"
condition:
uint16(0) == 0x5a4d and all of ($api*) and ($func_ptr or $func_ptr_64)
}
```
## 使用此标准的 YARA 仓库 - 感谢!
- https://github.com/reversinglabs/reversinglabs-yara-rules
- https://github.com/bartblaze/Yara-rules
- https://github.com/0xThiebaut/Signatures
## 组件
validator.py:这是验证器库。它用于验证 YARA 规则的元数据部分。它验证指定的元数据信息,自动生成部分元数据信息,并按照规范顺序重新对元数据信息进行排序,所有“未知”的元数据信息将附加在底部。
- [CCCS_YARA.yml](https://github.com/CybercentreCanada/CCCS-Yara/blob/master/CCCS_YARA.yml):这是 YAML 格式的 CCCS YARA 标准定义。(限制:提供此文件是为了展示预期的字段,目前 yara_validator 并不直接使用此文件,这将在未来的版本中解决。)
- [CCCS_YARA_values.yml](https://github.com/CybercentreCanada/CCCS-Yara/blob/master/CCCS_YARA_values.yml):描述 CCCS_YARA.yml 中定义的字段可接受值的文件。
yara_validator:这是一个 CLI 实用程序。它接收一个文件、文件列表或一个文件夹,以查找扩展名为 .yar 或 .yara 的文件。
## 要求
Python 3.6+
所有必需的 python 包都在 requirements.txt 中
[Cyber Threat Intelligence Repository](https://github.com/mitre/cti) 是此仓库的一个子模块:
```
git clone https://github.com/CybercentreCanada/CCCS-Yara.git
cd CCCS-Yara
pip install .
```
## yara_validator 用法
```
yara_validator -h
____ ____ ____ ____ __ __ _ ____ _
/ ___/ ___/ ___/ ___| \ \ / // \ | _ \ / \
| | | | | | \___ \ \ V // _ \ | |_) | / _ \
| |__| |__| |___ ___) | | |/ ___ \| _ < / ___ \
\____\____\____|____/ |_/_/ \_\_| \_\/_/ \_\
usage: yara_validator [-h] [-r] [-n] [-v] [-vv] [-f] [-w] [-s] [-st]
[-m] [-i | -c]
paths [paths ...]
CCCS YARA script to run the CCCS YARA validator, use the -i or -c flags to
generate the id, fingerprint, version, or modified (if
not already present) and add them to the file.
positional arguments:
paths A list of files or folders to be analyzed.
optional arguments:
-h, --help show this help message and exit
-r, --recursive Recursively search folders provided.
-n, --no-changes Makes no changes and outputs potential results to the
output.
-v, --verbose Verbose mode, will print why a rule was invalid.
-vv, --very-verbose Very-verbose mode, will printout what rule is about to
be processed, the invalid rules, the reasons they are
invalid and all contents of the rule.
-f, --fail Fail mode, only prints messages about invalid rules.
-w, --warnings This mode will ignore warnings and proceed with other
behaviors if the rule is valid.
-s, --standard This prints the YARA standard to the screen.
-st, --strict This causes the cli to return a non-zero exit code for
warnings.
-m, --module This flag overrides the check for modules that have not
been imported.
-i, --in-place Modifies valid files in place, mutually exclusive with
-c.
-c, --create-files Writes a new file for each valid file, mutually
exclusive with -i.
```
快速示例:
```
# Rule 将被内联转换
python yara_validator -v -i
```
# Centre canadien pour la cybersécurité
## CCCS YARA 规范
La [Spécification YARA du CCCS](https://github.com/CybercentreCanada/CCCS-Yara/blob/master/CCCS_YARA.yml) a été créé pour définir et validé le style et le format des attributs pour les règles YARA. Un outil ligne de commandes permet de valider et généré les tags automatiquement!
Au fil des années nous avons vu beaucoup de régles YARA; mais pour pouvoir les utilisées à leur plein potentiel nous devions modifiée les méta données associtiées, parfois même pour nos propres règles. En ajustant des éléments aussi simples que le format de date et en ajoutant des attributs important pour les analystes.
Ce standard pour les méta données inclus aussi des champs spécifique au [MITRE ATT&CK framework](https://attack.mitre.org/matrices/enterprise/) pour identifier les techniques et les groups d'acteurs [MITRE ATT&CK threat groups](https://attack.mitre.org/groups/).
[AssemblyLine](https://www.cyber.gc.ca/fr/chaine-de-montage-assemblyline) supporte cette spécification nativement et l'utilisera pour fournir d'avantage d'information à l'utilisateur lors du déclanchement d'une signature.
## 示例
```
rule MemoryModule {
meta:
id = "6O9mUMvPhziJ72IXHf6muZ"
fingerprint = "4aa0a23f28698898404d700cb363ddf06dd275f5798815e797113656a2a40ae8"
version = "1.0"
date = "2020-05-06"
modified = "2020-05-06"
status = "RELEASED"
sharing = "TLP:WHITE"
source = "CCCS"
author = "analyst@CCCS"
description = "Yara rule to detect usage of MemoryModule Library"
category = "TECHNIQUE"
technique = "LOADER:MEMORYMODULE"
mitre_att = "T1129"
report = "TA20-0192"
hash = "812bbe8b9acabad05b08add50ee55c883e1f7998f3a7cae273d3f0d572a79adc"
strings:
$func_ptr = {55 8B EC 6A 00 68 [3] 00 68 [3] 00 68 [3] 00 68 [3] 00 68 [3] 00}
$func_ptr_64 = {48 [3] 48 [4] 00 00 00 00 48 8? [5] 48 8? [3] 4? 8? [5] 48 8? [3-5] 48 8?}
$api_1 = "LoadLibraryA"
$api_2 = "GetProcAddress"
$api_3 = "FreeLibrary"
$api_4 = "VirtualFree"
$api_5 = "VirtualProtect"
$api_6 = "VirtualAlloc"
condition:
uint16(0) == 0x5a4d and all of ($api*) and ($func_ptr or $func_ptr_64)
}
```
## 使用此标准的 YARA 规则目录 - 谢谢!
- https://github.com/reversinglabs/reversinglabs-yara-rules
- https://github.com/bartblaze/Yara-rules
## 组件
validator.py: La librairie de validation. Elle permet de vérifier si une règle YARA a tous les attributs nécessaires, elle auto-génère aussi certain attribut et les ordonnent selon l'ontologie. Tous les attributs supplémentaires ne faisant pas partie de la spécification sont placé à la fin.
- [CCCS_YARA.yml](https://github.com/CybercentreCanada/CCCS-Yara/blob/master/CCCS_YARA.yml): Fichier de de définition de la spécification. (Limitation: Ce fichier démontre les attributs nécessaires, présentement le validateur n'utilise pas se fichier directement, ceci sera améliorer dans le futur.)
- [CCCS_YARA_values.yml](https://github.com/CybercentreCanada/CCCS-Yara/blob/master/CCCS_YARA_values.yml): Fichier qui décrit les valeurs acceptables pour chacun des attributs définit dans CCCS_YARA.yml.
yara_validator: Utilitaire de validation pour la ligne de commande. Il accepte une règle, une liste de règles ou un dossier pour validé les fichiers se terminant par .yar ou .YARA.
## 要求
Python 3.6+
Tous les libraries python sont dans le fichier requirements.txt
[Cyber Threat Intelligence Repository](https://github.com/mitre/cti) est un sous module de ce répertoire:
```
git clone https://github.com/CybercentreCanada/CCCS-Yara.git
cd CCCS-Yara
pip install .
```
## yara_validator 命令行
```
yara_validator -h
____ ____ ____ ____ __ __ _ ____ _
/ ___/ ___/ ___/ ___| \ \ / // \ | _ \ / \
| | | | | | \___ \ \ V // _ \ | |_) | / _ \
| |__| |__| |___ ___) | | |/ ___ \| _ < / ___ \
\____\____\____|____/ |_/_/ \_\_| \_\/_/ \_\
usage: yara_validator [-h] [-r] [-n] [-v] [-vv] [-f] [-w] [-s] [-st]
[-m] [-i | -c]
paths [paths ...]
CCCS YARA script to run the CCCS YARA validator, use the -i or -c flags to
generate the id, fingerprint, version, or modified (if
not already present) and add them to the file.
positional arguments:
paths A list of files or folders to be analyzed.
optional arguments:
-h, --help show this help message and exit
-r, --recursive Recursively search folders provided.
-n, --no-changes Makes no changes and outputs potential results to the
output.
-v, --verbose Verbose mode, will print why a rule was invalid.
-vv, --very-verbose Very-verbose mode, will printout what rule is about to
be processed, the invalid rules, the reasons they are
invalid and all contents of the rule.
-f, --fail Fail mode, only prints messages about invalid rules.
-w, --warnings This mode will ignore warnings and proceed with other
behaviors if the rule is valid.
-s, --standard This prints the YARA standard to the screen.
-st, --strict This causes the cli to return a non-zero exit code for
warnings.
-m, --module This flag overrides the check for modules that have not
been imported.
-i, --in-place Modifies valid files in place, mutually exclusive with
-c.
-c, --create-files Writes a new file for each valid file, mutually
exclusive with -i.
```
标签:AssemblyLine, CCCS, Cloudflare, DNS信息、DNS暴力破解, MITRE ATT&CK, SDLC, TLP协议, VSCode插件, YAML, YARA, YARA规则, 中间件漏洞, 云安全监控, 云资产可视化, 代码规范, 元数据验证, 加拿大网络安全中心, 哈希指纹, 威胁情报, 安全库, 安全开发生命周期, 开发者工具, 文档结构分析, 特征码, 网络安全, 规范校验, 逆向工具, 隐私保护, 静态分析