Yara is a rule based scanning engine aimed to help malware analysts in finding and classifying interesting samples.
https://github.com/VirusTotal/yara This series adds Yara support to Libguestfs allowing to upload sets of rules and scanning files against them. Currently provided APIs: - yara_load: loads a set of rules - yara_destroy: free resources allocated by loaded rules - yara_scan: scans a file with the loaded rules Future APIs: - yara_scan_recursive: scan the entire FS starting from the given point (could it be a flag in yara_scan?) - yara_scan_inode: use TSK to scan files by inodes allowing to scan deleted or hidden files Code ready for review, available here: https://github.com/noxdafox/libguestfs/tree/yara Matteo Cafasso (6): appliance: add libyara dependency New API: yara_load New API: yara_destroy New API: internal_yara_scan New API: yara_scan yara_scan: added API tests appliance/packagelist.in | 1 + configure.ac | 1 + daemon/Makefile.am | 4 +- daemon/yara.c | 318 +++++++++++++++++++++++++++++++ generator/actions.ml | 59 ++++++ generator/structs.ml | 9 + gobject/Makefile.inc | 2 + java/Makefile.inc | 1 + java/com/redhat/et/libguestfs/.gitignore | 1 + m4/guestfs_daemon.m4 | 8 + src/MAX_PROC_NR | 2 +- src/Makefile.am | 1 + src/yara.c | 140 ++++++++++++++ tests/yara/Makefile.am | 26 +++ tests/yara/test-yara-scan.sh | 72 +++++++ 15 files changed, 643 insertions(+), 2 deletions(-) create mode 100644 daemon/yara.c create mode 100644 src/yara.c create mode 100644 tests/yara/Makefile.am create mode 100755 tests/yara/test-yara-scan.sh -- 2.10.1 _______________________________________________ Libguestfs mailing list [email protected] https://www.redhat.com/mailman/listinfo/libguestfs
