偷偷摘套内射激情视频,久久精品99国产国产精,中文字幕无线乱码人妻,中文在线中文a,性爽19p

如何使用yaraQA提升Yara規(guī)則的質(zhì)量和性能

作者:Alpha_h4ck
安全 應(yīng)用安全
很多Yara規(guī)則可能在語法上是正確的,但功能很可能仍然存在問題。而yaraQA則會試圖找到這些問題并將其報告給YARA規(guī)則集的開發(fā)者或維護者。

關(guān)于yaraQA

yaraQA是一款功能強大的Yara規(guī)則分析工具,在該工具的幫助下,廣大研究人員可以輕松提升Yara規(guī)則的質(zhì)量和性能。

很多Yara規(guī)則可能在語法上是正確的,但功能很可能仍然存在問題。而yaraQA則會試圖找到這些問題并將其報告給YARA規(guī)則集的開發(fā)者或維護者。

yaraQA的功能

yaraQA會嘗試檢測下列問題:

1、語法正確,但由于條件中的錯誤,從而導(dǎo)致不匹配的規(guī)則;

2、使用可能錯誤的字符串和修飾符組合的規(guī)則(例如$ = "\\Debug\\" fullword);

3、由短原子、重復(fù)字符或循環(huán)引起的性能問題(例如$ = "AA"; 可以使用--ignore-performance從分析中排除);

工具安裝

由于該工具基于Python 3開發(fā),因此我們首先需要在本地設(shè)備上安裝并配置好Python 3環(huán)境。接下來,廣大研究人員可以使用下列命令將該項目源碼克隆至本地:

git clone https://github.com/Neo23x0/yaraQA.git

然后切換到項目目錄中,使用pip工具和項目提供的requirements.txt文件安裝該工具所需的其他依賴組件:

cd yaraQA/

pip install -r requirements.txt

工具使用幫助

usage: yaraQA.py [-h] [-f yara files [yara files ...]] [-d yara files [yara files ...]] [-o outfile] [-b baseline] [-l level]

                 [--ignore-performance] [--debug]

 

YARA RULE ANALYZER

 

optional arguments:

  -h, --help            顯示工具幫助信息和退出

  -f yara files [yara files ...]

                        輸入文件路徑(一個或多個Yara規(guī)則,由空格分隔)

  -d yara files [yara files ...]

                        輸入目錄路徑(Yara規(guī)則目錄,由空格分隔)

  -o outfile          分析結(jié)果輸出文件(JSON格式,默認(rèn)為'yaraQA-issues.json')

  -b baseline          使用一個問題基線來過濾分析結(jié)果中的問題

  -l level               要顯示的最低級別(1=基本信息, 2=警告, 3=嚴(yán)重)

  --ignore-performance   屏蔽與性能相關(guān)的規(guī)則問題

  --debug               調(diào)試模式輸出

工具使用樣例

python3 yaraQA.py -d ./test/

屏蔽所有性能相關(guān)的問題,僅顯示邏輯問題:

python3 yaraQA.py -d ./test/ --ignore-performance

屏蔽所有信息性字符問題:

python3 yaraQA.py -d ./test/ -level 2

使用一個基線,僅顯示新的問題,基線文件需要是一個.json文件:

python3 yaraQA.py -d ./test/ -b yaraQA-reviewed-issues.json

工具輸出

yaraQA會將檢測到的問題寫入一個名為yaraQA-issues.json的文件中。

下面給出的是yaraQA生成的JSON格式結(jié)果:

[

    {

        "rule": "Demo_Rule_1_Fullword_PDB",

        "id": "SM1",

        "issue": "The rule uses a PDB string with the modifier 'wide'. PDB strings are always included as ASCII strings. The 'wide' keyword is unneeded.",

        "element": {

            "name": "$s1",

            "value": "\\\\i386\\\\mimidrv.pdb",

            "type": "text",

            "modifiers": [

                "ascii",

                "wide",

                "fullword"

            ]

        },

        "level": "info",

        "type": "logic",

        "recommendation": "Remove the 'wide' modifier"

    },

    {

        "rule": "Demo_Rule_1_Fullword_PDB",

        "id": "SM2",

        "issue": "The rule uses a PDB string with the modifier 'fullword' but it starts with two backslashes and thus the modifier could lead to a dysfunctional rule.",

        "element": {

            "name": "$s1",

            "value": "\\\\i386\\\\mimidrv.pdb",

            "type": "text",

            "modifiers": [

                "ascii",

                "wide",

                "fullword"

            ]

        },

        "level": "warning",

        "type": "logic",

        "recommendation": "Remove the 'fullword' modifier"

    },

    {

        "rule": "Demo_Rule_2_Short_Atom",

        "id": "PA2",

        "issue": "The rule contains a string that turns out to be a very short atom, which could cause a reduced performance of the complete rule set or increased memory usage.",

        "element": {

            "name": "$s1",

            "value": "{ 01 02 03 }",

            "type": "byte"

        },

        "level": "warning",

        "type": "performance",

        "recommendation": "Try to avoid using such short atoms, by e.g. adding a few more bytes to the beginning or the end (e.g. add a binary 0 in front or a space after the string). Every additional byte helps."

    },

    {

        "rule": "Demo_Rule_3_Fullword_FilePath_Section",

        "id": "SM3",

        "issue": "The rule uses a string with the modifier 'fullword' but it starts and ends with two backslashes and thus the modifier could lead to a dysfunctional rule.",

        "element": {

            "name": "$s1",

            "value": "\\\\ZombieBoy\\\\",

            "type": "text",

            "modifiers": [

                "ascii",

                "fullword"

            ]

        },

        "level": "warning",

        "type": "logic",

        "recommendation": "Remove the 'fullword' modifier"

    },

    {

        "rule": "Demo_Rule_4_Condition_Never_Matches",

        "id": "CE1",

        "issue": "The rule uses a condition that will never match",

        "element": {

            "condition_segment": "2 of",

            "num_of_strings": 1

        },

        "level": "error",

        "type": "logic",

        "recommendation": "Fix the condition"

    },

    {

        "rule": "Demo_Rule_5_Condition_Short_String_At_Pos",

        "id": "PA1",

        "issue": "This rule looks for a short string at a particular position. A short string represents a short atom and could be rewritten to an expression using uint(x) at position.",

        "element": {

            "condition_segment": "$mz at 0",

            "string": "$mz",

            "value": "MZ"

        },

        "level": "warning",

        "type": "performance",

        "recommendation": ""

    },

    {

        "rule": "Demo_Rule_5_Condition_Short_String_At_Pos",

        "id": "PA2",

        "issue": "The rule contains a string that turns out to be a very short atom, which could cause a reduced performance of the complete rule set or increased memory usage.",

        "element": {

            "name": "$mz",

            "value": "MZ",

            "type": "text",

            "modifiers": [

                "ascii"

            ]

        },

        "level": "warning",

        "type": "performance",

        "recommendation": "Try to avoid using such short atoms, by e.g. adding a few more bytes to the beginning or the end (e.g. add a binary 0 in front or a space after the string). Every additional byte helps."

    },

    {

        "rule": "Demo_Rule_6_Condition_Short_Byte_At_Pos",

        "id": "PA1",

        "issue": "This rule looks for a short string at a particular position. A short string represents a short atom and could be rewritten to an expression using uint(x) at position.",

        "element": {

            "condition_segment": "$mz at 0",

            "string": "$mz",

            "value": "{ 4d 5a }"

        },

        "level": "warning",

        "type": "performance",

        "recommendation": ""

    },

    {

        "rule": "Demo_Rule_6_Condition_Short_Byte_At_Pos",

        "id": "PA2",

        "issue": "The rule contains a string that turns out to be a very short atom, which could cause a reduced performance of the complete rule set or increased memory usage.",

        "element": {

            "name": "$mz",

            "value": "{ 4d 5a }",

            "type": "byte"

        },

        "level": "warning",

        "type": "performance",

        "recommendation": "Try to avoid using such short atoms, by e.g. adding a few more bytes to the beginning or the end (e.g. add a binary 0 in front or a space after the string). Every additional byte helps."

    },

    {

        "rule": "Demo_Rule_6_Condition_Short_Byte_At_Pos",

        "id": "SM3",

        "issue": "The rule uses a string with the modifier 'fullword' but it starts and ends with two backslashes and thus the modifier could lead to a dysfunctional rule.",

        "element": {

            "name": "$s1",

            "value": "\\\\Section\\\\in\\\\Path\\\\",

            "type": "text",

            "modifiers": [

                "ascii",

                "fullword"

            ]

        },

        "level": "warning",

        "type": "logic",

        "recommendation": "Remove the 'fullword' modifier"

    }

]

包含問題的規(guī)則樣例

項目專門提供了包含問題的規(guī)則樣例,可以在./test目錄中找到。

工具運行截圖

許可證協(xié)議

本項目的開發(fā)與發(fā)布遵循GPL-3.0開源許可證協(xié)議。

責(zé)任編輯:武曉燕 來源: FreeBuf.COM
yaraQA語法規(guī)則
相關(guān)推薦

2021-12-15 08:00:00

YARA安全工具

2022-03-25 09:22:42

代碼開發(fā)

2017-03-13 09:50:00

HadoopHive

2011-11-30 21:59:41

ibmdwDojo

2025-03-04 00:00:33

2021-12-02 07:02:16

API性能設(shè)計

2023-05-12 13:21:12

JMHJava程序

2016-08-29 17:10:17

JavascriptHtmlCSS

2009-02-18 20:27:24

組策略提升Windows性能

2021-12-02 09:54:11

Python 開發(fā)編程語言

2019-06-11 15:25:03

JSON性能前端

2012-04-13 10:00:04

LINQ

2021-09-27 08:16:38

Webpack 前端Cache

2015-01-06 09:59:03

2017-01-10 14:08:33

C++StringBuild性能

2013-09-11 16:11:57

C++StringBuild

2024-10-30 08:08:45

2015-01-21 15:40:44

GoRuby

2009-03-05 13:47:59

2020-12-03 08:00:00

SQL數(shù)據(jù)庫MySQL
點贊
收藏

51CTO技術(shù)棧公眾號