Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Port malcontent to YARA-X #227

Closed
tstromberg opened this issue May 17, 2024 · 6 comments · Fixed by #734
Closed

Port malcontent to YARA-X #227

tstromberg opened this issue May 17, 2024 · 6 comments · Fixed by #734
Labels
enhancement New feature or request help wanted Extra attention is needed

Comments

@tstromberg
Copy link
Collaborator

YARA now has official Go bindings:

https://virustotal.github.io/yara-x/blog/yara-is-dead-long-live-yara-x/

There are only 2-3 calls into the existing library we use - https://github.com/hillu/go-yara - but I'm sure the data structure it returns has some differences that will need to be resolved.

Here's where I would start making the change:

https://github.com/chainguard-dev/bincapz/blob/996ba4c2c19d42694937f9b50af3bbc74b2ca3af/pkg/compile/compile.go#L59

This function, which converts YARA results into an internal FileReport struct will also need changes:

https://github.com/chainguard-dev/bincapz/blob/996ba4c2c19d42694937f9b50af3bbc74b2ca3af/pkg/report/report.go#L275

@tstromberg tstromberg added enhancement New feature or request help wanted Extra attention is needed labels May 17, 2024
@egibs
Copy link
Member

egibs commented May 17, 2024

Looks like this will be a pre-req for working with Yara-X.

I ran into issues running cargo install cargo-c on macOS and had to run:

cargo clean && PATH="/usr/bin:$PATH" cargo install cargo-c

to avoid using strip from Brew's binutils:

❯ which strip
/opt/homebrew/opt/binutils/bin/strip

@tstromberg
Copy link
Collaborator Author

Ouch. With this change, it sounds like we'd be taking on two large dependencies that we didn't have before. I think that we should save this change for a little while - at least until YARA-X is available in homebrew and the mainstream Linux distros.

Closing this for now - but I expect we'll likely resurrect it by the end of the year.

@egibs
Copy link
Member

egibs commented Jul 6, 2024

Found an example of Yara-X usage in Go: https://github.com/zz1gg/threatchecker/blob/main/utils/yara_x.go and used it as a reference for a very WIP feature branch.

There's a way to ignore modules when compiling rules but it doesn't seem like we get much control over warnings or errors like we do with the current package.

Aside from that, it looks like most everything else should be accessible except for Tags which don't seem to be a concept with Yara-X (at least as of version 0.5.0).

@fproulx-boostsecurity
Copy link

@tstromberg it's in homebrew now (https://github.com/Homebrew/homebrew-core/blob/HEAD/Formula/y/yara-x.rb)

@tstromberg tstromberg reopened this Nov 20, 2024
@tstromberg
Copy link
Collaborator Author

That's great news! @egibs has also been working on upstream patches that should soon make it possible to port malcontent to YARA-X.

@tstromberg tstromberg changed the title Port bincapz to YARA-X Port malcontent to YARA-X Nov 20, 2024
@egibs
Copy link
Member

egibs commented Nov 20, 2024

Yep -- there were two missing features that we rely on in go-yara:

  • exposing tags for a given rule (just recently added in VirusTotal/yara-x@6e044b0)
  • the strings for a given match (PR to add this is open)

Once those are officially released, we can start working on moving everything over*.

* Also, the yara-x C API is installed via cargo cinstall rather than what we're used to with Yara but it shouldn't be that much of a lift.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request help wanted Extra attention is needed
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants