From 28ec56a27fe8121be1a1ec7044a863d77088df33 Mon Sep 17 00:00:00 2001 From: Matt C Date: Sun, 18 Sep 2022 16:11:04 +0100 Subject: [PATCH] Update libyara package to fix bug with compile messages and add support for console module --- package-lock.json | 14 +++++----- package.json | 2 +- src/core/operations/YARARules.mjs | 30 ++++++++++++++++---- tests/operations/tests/YARA.mjs | 46 ++++++++++++++++++++++++++++++- 4 files changed, 77 insertions(+), 15 deletions(-) diff --git a/package-lock.json b/package-lock.json index cf8c212a..a789a47c 100644 --- a/package-lock.json +++ b/package-lock.json @@ -52,7 +52,7 @@ "jsrsasign": "^10.5.23", "kbpgp": "2.1.15", "libbzip2-wasm": "0.0.4", - "libyara-wasm": "^1.2.0", + "libyara-wasm": "^1.2.1", "lodash": "^4.17.21", "loglevel": "^1.8.0", "loglevel-message-prefix": "^3.0.0", @@ -9152,9 +9152,9 @@ "integrity": "sha512-RqscTx95+RTKhFAyjedsboR0Lmo3zd8//EuRwQXkdWmsCwYlzarVRaiYg6kS1O8m10MCQkGdrnlK9L4eAmZUwA==" }, "node_modules/libyara-wasm": { - "version": "1.2.0", - "resolved": "https://registry.npmjs.org/libyara-wasm/-/libyara-wasm-1.2.0.tgz", - "integrity": "sha512-Dx6lnwy/JIuYSAhLcRBqdNBOzzrFoCcthmIuiNHi89P3fObXAxQYajWxOv3OFjXfIyTLr8mqSUSiyzfonbQoXg==" + "version": "1.2.1", + "resolved": "https://registry.npmjs.org/libyara-wasm/-/libyara-wasm-1.2.1.tgz", + "integrity": "sha512-PNqUNWnwjZLe55iA8Rv6vLQRjSdO2OnVg24aRE8v+ytR8CRB8agIG6pS9h2VQejuJP1A/uR4pwcBggUxoNC7DA==" }, "node_modules/lie": { "version": "3.3.0", @@ -21198,9 +21198,9 @@ "integrity": "sha512-RqscTx95+RTKhFAyjedsboR0Lmo3zd8//EuRwQXkdWmsCwYlzarVRaiYg6kS1O8m10MCQkGdrnlK9L4eAmZUwA==" }, "libyara-wasm": { - "version": "1.2.0", - "resolved": "https://registry.npmjs.org/libyara-wasm/-/libyara-wasm-1.2.0.tgz", - "integrity": "sha512-Dx6lnwy/JIuYSAhLcRBqdNBOzzrFoCcthmIuiNHi89P3fObXAxQYajWxOv3OFjXfIyTLr8mqSUSiyzfonbQoXg==" + "version": "1.2.1", + "resolved": "https://registry.npmjs.org/libyara-wasm/-/libyara-wasm-1.2.1.tgz", + "integrity": "sha512-PNqUNWnwjZLe55iA8Rv6vLQRjSdO2OnVg24aRE8v+ytR8CRB8agIG6pS9h2VQejuJP1A/uR4pwcBggUxoNC7DA==" }, "lie": { "version": "3.3.0", diff --git a/package.json b/package.json index 84c087a2..f6ba31d0 100644 --- a/package.json +++ b/package.json @@ -128,7 +128,7 @@ "jsrsasign": "^10.5.23", "kbpgp": "2.1.15", "libbzip2-wasm": "0.0.4", - "libyara-wasm": "^1.2.0", + "libyara-wasm": "^1.2.1", "lodash": "^4.17.21", "loglevel": "^1.8.0", "loglevel-message-prefix": "^3.0.0", diff --git a/src/core/operations/YARARules.mjs b/src/core/operations/YARARules.mjs index 4d4346a0..d91f50ae 100644 --- a/src/core/operations/YARARules.mjs +++ b/src/core/operations/YARARules.mjs @@ -52,7 +52,17 @@ class YARARules extends Operation { name: "Show counts", type: "boolean", value: true - } + }, + { + name: "Show rule warnings", + type: "boolean", + value: true + }, + { + name: "Show console module messages", + type: "boolean", + value: true + }, ]; } @@ -64,7 +74,7 @@ class YARARules extends Operation { async run(input, args) { if (isWorkerEnvironment()) self.sendStatusMessage("Instantiating YARA..."); - const [rules, showStrings, showLengths, showMeta, showCounts] = args; + const [rules, showStrings, showLengths, showMeta, showCounts, showRuleWarns, showConsole] = args; return new Promise((resolve, reject) => { Yara().then(yara => { if (isWorkerEnvironment()) self.sendStatusMessage("Converting data for YARA."); @@ -83,11 +93,19 @@ class YARARules extends Operation { const compileError = resp.compileErrors.get(i); if (!compileError.warning) { reject(new OperationError(`Error on line ${compileError.lineNumber}: ${compileError.message}`)); - } else { - matchString += `Warning on line ${compileError.lineNumber}: ${compileError.message}`; + } else if (showRuleWarns) { + matchString += `Warning on line ${compileError.lineNumber}: ${compileError.message}\n`; } } } + + if (showConsole) { + const consoleLogs = resp.consoleLogs; + for (let i = 0; i < consoleLogs.size(); i++) { + matchString += consoleLogs.get(i) + "\n"; + } + } + const matchedRules = resp.matchedRules; for (let i = 0; i < matchedRules.size(); i++) { const rule = matchedRules.get(i); @@ -100,11 +118,11 @@ class YARARules extends Operation { } meta = meta.slice(0, -2) + "]"; } - const countString = matches.size() === 0 ? "" : (showCounts ? `${matches.size()} time${matches.size() > 1 ? "s" : ""}` : ""); + const countString = matches.size() === 0 ? "" : (showCounts ? ` (${matches.size()} time${matches.size() > 1 ? "s" : ""})` : ""); if (matches.size() === 0 || !(showStrings || showLengths)) { matchString += `Input matches rule "${rule.ruleName}"${meta}${countString.length > 0 ? ` ${countString}`: ""}.\n`; } else { - matchString += `Rule "${rule.ruleName}"${meta} matches (${countString}):\n`; + matchString += `Rule "${rule.ruleName}"${meta} matches${countString}:\n`; for (let j = 0; j < matches.size(); j++) { const match = matches.get(j); if (showStrings || showLengths) { diff --git a/tests/operations/tests/YARA.mjs b/tests/operations/tests/YARA.mjs index 307f10b7..d92c19aa 100644 --- a/tests/operations/tests/YARA.mjs +++ b/tests/operations/tests/YARA.mjs @@ -8,6 +8,22 @@ */ import TestRegister from "../../lib/TestRegister.mjs"; +const CONSOLE_COMPILE_WARNING_RULE = `import "console" +rule a +{ + strings: + $s=" " + condition: + $s and console.log("log rule a") +} +rule b +{ + strings: + $s=" " + condition: + $s and console.hex("log rule b: int8(0)=", int8(0)) +}`; + TestRegister.addTests([ { name: "YARA Match: simple foobar", @@ -38,10 +54,38 @@ TestRegister.addTests([ condition: hash.sha256(0,filesize) == "7f83b1657ff1fc53b92dc18148a1d65dfc2d4b1fa3d677284addd200126d9069" }`, - true, true, true, true + true, true, true, true, false, false ], } ], }, + { + name: "YARA Match: compile warnings", + input: "CyberChef Yara", + expectedOutput: "Warning on line 5: string \"$s\" may slow down scanning\n" + + "Warning on line 12: string \"$s\" may slow down scanning\n" + + "Input matches rule \"a\".\n" + + "Input matches rule \"b\".\n", + recipeConfig: [ + { + "op": "YARA Rules", + "args": [CONSOLE_COMPILE_WARNING_RULE, false, false, false, false, true, false], + } + ], + }, + { + name: "YARA Match: console messages", + input: "CyberChef Yara", + expectedOutput: "log rule a\n" + + "log rule b: int8(0)=0x43\n" + + "Input matches rule \"a\".\n" + + "Input matches rule \"b\".\n", + recipeConfig: [ + { + "op": "YARA Rules", + "args": [CONSOLE_COMPILE_WARNING_RULE, false, false, false, false, false, true], + } + ], + }, ]);