Neo23x0/yaraQA

# yaraQA YARA rule 分析器，用于提高规则质量和性能 ## 为什么需要？ YARA 规则在语法上可能是正确的，但仍然可能存在功能缺陷。yaraQA 试图发现这些问题并将其报告给 YARA 规则集的作者或维护者。 yaraQA 试图检测的问题例如： - 规则在语法上是正确的，但由于条件中的错误而永远不会匹配（例如，包含一个字符串但条件为 `2 of them` 的规则） - 规则使用了可能不正确的字符串和修饰符组合（例如，`$ = "\\Debug\\" fullword`） - 由短 atom、重复字符或循环引起的性能问题（例如，`$ = "AA"`；可以使用 `--ignore-performance` 将其从分析中排除） 我会随着时间的推移扩展测试集。每个小版本都将包含新功能或新测试。 ## 安装依赖 ``` pip install -r requirements.txt ``` ## 用法 ``` usage: yaraQA.py [-h] [-f yara files [yara files ...]] [-d yara files [yara files ...]] [-o outfile] [-b baseline] [-l level] [--ignore-performance] [--debug] YARA RULE ANALYZER optional arguments: -h, --help show this help message and exit -f yara files [yara files ...] Path to input files (one or more YARA rules, separated by space) -d yara files [yara files ...] Path to input directory (YARA rules folders, separated by space) -o outfile Output file that lists the issues (JSON, default: 'yaraQA-issues.json') -b baseline Use a issues baseline (issues found and reviewed before) to filter issues -l level Minium level to show (1=informational, 2=warning, 3=critical) --ignore-performance Suppress performance-related rule issues --debug Debug output ``` ## 试运行 ``` python3 yaraQA.py -d ./test/ ``` 隐藏所有性能问题，只显示检测/逻辑问题。 ``` python3 yaraQA.py -d ./test/ --ignore-performance ``` 隐藏所有信息性质的问题 ``` python3 yaraQA.py -d ./test/ -level 2 ``` 使用 baseline 仅查看新问题（而不是您已经审查过的问题）。baseline 文件是已审查状态的旧 JSON 输出。 ``` python3 yaraQA.py -d ./test/ -b yaraQA-reviewed-issues.json ``` ## 存在问题的示例规则 带有问题的示例规则可以在 `./test` 文件夹中找到。 ## 输出 默认情况下，yaraQA 会将检测到的问题写入名为 `yaraQA-issues.json` 的文件中。 此列表展示了 yaraQA 生成的 JSON 格式的输出示例： ``` [ { "rule": "Demo_Rule_1_Fullword_PDB", "id": "SM1", "issue": "The rule uses a PDB string with the modifier 'wide'. PDB strings are always included as ASCII strings. The 'wide' keyword is unneeded.", "element": { "name": "$s1", "value": "\\\\i386\\\\mimidrv.pdb", "type": "text", "modifiers": [ "ascii", "wide", "fullword" ] }, "level": "info", "type": "logic", "recommendation": "Remove the 'wide' modifier" }, { "rule": "Demo_Rule_1_Fullword_PDB", "id": "SM2", "issue": "The rule uses a PDB string with the modifier 'fullword' but it starts with two backslashes and thus the modifier could lead to a dysfunctional rule.", "element": { "name": "$s1", "value": "\\\\i386\\\\mimidrv.pdb", "type": "text", "modifiers": [ "ascii", "wide", "fullword" ] }, "level": "warning", "type": "logic", "recommendation": "Remove the 'fullword' modifier" }, { "rule": "Demo_Rule_2_Short_Atom", "id": "PA2", "issue": "The rule contains a string that turns out to be a very short atom, which could cause a reduced performance of the complete rule set or increased memory usage.", "element": { "name": "$s1", "value": "{ 01 02 03 }", "type": "byte" }, "level": "warning", "type": "performance", "recommendation": "Try to avoid using such short atoms, by e.g. adding a few more bytes to the beginning or the end (e.g. add a binary 0 in front or a space after the string). Every additional byte helps." }, { "rule": "Demo_Rule_3_Fullword_FilePath_Section", "id": "SM3", "issue": "The rule uses a string with the modifier 'fullword' but it starts and ends with two backslashes and thus the modifier could lead to a dysfunctional rule.", "element": { "name": "$s1", "value": "\\\\ZombieBoy\\\\", "type": "text", "modifiers": [ "ascii", "fullword" ] }, "level": "warning", "type": "logic", "recommendation": "Remove the 'fullword' modifier" }, { "rule": "Demo_Rule_4_Condition_Never_Matches", "id": "CE1", "issue": "The rule uses a condition that will never match", "element": { "condition_segment": "2 of", "num_of_strings": 1 }, "level": "error", "type": "logic", "recommendation": "Fix the condition" }, { "rule": "Demo_Rule_5_Condition_Short_String_At_Pos", "id": "PA1", "issue": "This rule looks for a short string at a particular position. A short string represents a short atom and could be rewritten to an expression using uint(x) at position.", "element": { "condition_segment": "$mz at 0", "string": "$mz", "value": "MZ" }, "level": "warning", "type": "performance", "recommendation": "" }, { "rule": "Demo_Rule_5_Condition_Short_String_At_Pos", "id": "PA2", "issue": "The rule contains a string that turns out to be a very short atom, which could cause a reduced performance of the complete rule set or increased memory usage.", "element": { "name": "$mz", "value": "MZ", "type": "text", "modifiers": [ "ascii" ] }, "level": "warning", "type": "performance", "recommendation": "Try to avoid using such short atoms, by e.g. adding a few more bytes to the beginning or the end (e.g. add a binary 0 in front or a space after the string). Every additional byte helps." }, { "rule": "Demo_Rule_6_Condition_Short_Byte_At_Pos", "id": "PA1", "issue": "This rule looks for a short string at a particular position. A short string represents a short atom and could be rewritten to an expression using uint(x) at position.", "element": { "condition_segment": "$mz at 0", "string": "$mz", "value": "{ 4d 5a }" }, "level": "warning", "type": "performance", "recommendation": "" }, { "rule": "Demo_Rule_6_Condition_Short_Byte_At_Pos", "id": "PA2", "issue": "The rule contains a string that turns out to be a very short atom, which could cause a reduced performance of the complete rule set or increased memory usage.", "element": { "name": "$mz", "value": "{ 4d 5a }", "type": "byte" }, "level": "warning", "type": "performance", "recommendation": "Try to avoid using such short atoms, by e.g. adding a few more bytes to the beginning or the end (e.g. add a binary 0 in front or a space after the string). Every additional byte helps." }, { "rule": "Demo_Rule_6_Condition_Short_Byte_At_Pos", "id": "SM3", "issue": "The rule uses a string with the modifier 'fullword' but it starts and ends with two backslashes and thus the modifier could lead to a dysfunctional rule.", "element": { "name": "$s1", "value": "\\\\Section\\\\in\\\\Path\\\\", "type": "text", "modifiers": [ "ascii", "fullword" ] }, "level": "warning", "type": "logic", "recommendation": "Remove the 'fullword' modifier" } ] ``` ## 截图 

标签：DNS 反向解析, Homebrew安装, Python, YARA, 云安全监控, 云资产可视化, 威胁情报, 开发者工具, 性能优化, 无后门, 检测绕过, 逆向工具, 静态分析