YARA-Silly-Silly/yarasilly2

# YARA Silly Silly A Semi automatic handy tool to generate YARA rules from sample virus files ( WIP ) for Malware Analyst, inspired by DIFF function of VirusTotal Premium Account. You can find some sample virus files at [https://github.com/YARA-Silly-Silly/sample-malwares](https://github.com/YARA-Silly-Silly/sample-malwares) You can find the project repo at [https://github.com/YARA-Silly-Silly/yarasilly2](https://github.com/YARA-Silly-Silly/yarasilly2) ## Installing YARA Silly Silly **Python3 is required.** 0. Clone the git repository and enter into the folder git clone https://github.com/YARA-Silly-Silly/yarasilly2.git cd yarasilly2 1. Create and activate a virtual environment: `Linux` python -m venv venv source venv/bin/activate `Windows` python -m venv venv .\venv\Scripts\activate.bat 2. Install the package inside the environment: pip3 install -r requirements.txt ## QuickStart To start the application check all the options that can be passed to the application using python yarasilly2.py --help Config for the application is also present in the file **config.ini** in the root folder. **Example** python yarasilly2.py -r "Test-Rule" -t "APT" -a "John Doe" -o 2 -f "office" The above command will pass the name of the rule **Test-Rule**, tag **APT**, author **John Doe**, pattern occurance **2** and sample file type **office**. Using **fuzzy match** example python yarasilly2.py -r "Test-Rule" -t "APT" -a "John Doe" -f "office" -fm ./confirm-sample 80 ./probable-sample 60 The above command will pass the name of the rule **Test-Rule**, tag **APT**, author **John Doe**, file type **office** and then **fuzzy match** parameters, the first is the confirm malware samples folder, second is the percentage of match between all the files in that folder, third is the probable malware samples folder and fourth one is the percentage of match with the files within the probable folder. ## Command Line Parameters Usage: yarasilly2.py [OPTIONS] Options: -r, --rulename TEXT Provide a rule name with no spaces and must start with letter. [required] -f, --filetype [office] Select sample set file type choices. [required] -m, --matchpatternfile TEXT Matched pattern will be saved to this file. Please provide full path eg: ./output/matched-pattern -i, --inputfilepath TEXT File or files will be read from this location eg: ./files-folder -fd, --folderdepth INTEGER How much depth within the inputfilepath the files will be searched. To search all files with any depth enter 0 -fm, --fuzzymatch ... Match file patterns using fuzzy hashing. Please provide folder path of confirm virus samples with match percentage of same type and probable virus samples with should be matched percent. For eg: -fm ./confirm- sample 80 ./probable-sample 60 -o, --patternoccurance INTEGER How many match of the pattern within the files is considered as match. -b, --block INTEGER File buffer size when reading file. -l, --loglevel [CRITICAL|ERROR|WARNING|INFO|DEBUG] Select log level for the application. [default: ERROR] -a, --author TEXT Type you name to be filled in the author field in generate YARA rule. Eg. -n "John Doe" [default: N/A] -d, --description TEXT Provide a useful description of the YARA rule. [default: No Description Provided] -t, --tags TEXT Apply Tags to Yara Rule For Easy Reference (AlphaNumeric) [default: ] --help Show this message and exit. [default: False] ## About Us Yara Silly Silly is maintained by:

Himadri Ganguly :octocat: :bird:

Krishnendu Paul :octocat: :bird: :house:

## LICENSE Yara Silly Silly is GNU GPL3 licensed. See the LICENSE file for details.