Shulou(Shulou.com)05/31 Report--

This article introduces you how to use the intrusion threat indicator IoC scanning tool Spyre based on YARA rules. The content is very detailed. Interested partners can refer to it for reference. I hope it can help you.

Spyre

Spire is a powerful host-based IoC scanning tool built on the YARA pattern matching engine and other scanning modules. Its main function is to simplify the operation of YARA rules and help researchers to better achieve intrusion threat indicators IoC scanning.

When using Spyre, we need to provide our own YARA rule set. For YARA rules, researchers can refer to the free YARA rule set provided by awesome-yara library.

Spyre can be used by researchers as an incident response and investigation tool, but it does not provide any protection services to the end device.

tool download

Researchers can clone the project source code locally using the following command:

git clone https://github.com/spyre-project/spyre.git Code build

Spyre supports 32-bit and 64-bit Linux and Windows platforms.

Debian Buster (10.x) and later

On a Debian/Buster system, you first need to install and configure the following toolkits:

makegccgcc-multilibgcc-mingw-w64autoconfautomakelibtoolpkg-configwgetpatchsedgolang-$VERSION-gogit-coreca-certificateszip

These are the build environment requirements for the tool, after which source code can be built using the command-line interface.

Fedora 30 and later

To build source code on Fedora, you first need to install and configure the following toolkits:

makegccmingw{32,64}-gccmingw{32,64}-winpthreads-staticautoconfautomakelibtoolpkgconf-pkg-configwgetpatchsedgolanggit-coreca-certificateszip

After installing and configuring the above toolkits, we can use the make command to build the code. Musl-libc, openssl, and yara will be downloaded, and after they are built, Spyre can be built.

Built Spyre code will be created at "_build//".

When you run the following command, the tool creates a ZIP file containing the source code for all operating system architectures:

make release tool configuration

Spyre tool runtime parameters can be passed through command-line arguments or params.txt files, and rules that start with a #character on each line of parameters are ignored.

Normally (unless this option is enabled), Spyre instructs the OS scheduler to reduce CPU time and I/O operation priority to avoid disrupting normal system operations:

--high-priority

Explicitly set the hostname in the file in the report:

--set-hostname=NAME

Set log level. Available options are trace, debug, info, notice, warn, error, quiet:

--report=SPEC

Set one or more file system paths to scan:

--path=PATHLIST

Set YARA rule file list of files to be scanned:

--yara-proc-rules=FILELIST

Set the list of YARA rule files for the memory space of the process to be scanned:

--yara-proc-rules=FILELIST

Use YARA to set the maximum size of files to scan:

--ioc-file=FILE

Set process names that do not require scanning:

--proc-ignore=NAMELIST tool usage

Spyre is very simple to use, first add YARA signature, YARA rules for file scanning need to be read from filescan.yar, procscan.yar corresponds to the process memory scanning rules. The following options support providing rule files to Spyre:

Add the rules file to the ZIP file and add the file to the code.

Add the rules file to the ZIP file $PROGRAM.zip, or spyre.zip if it is Spyre code called through spyre or spyre.exe.

3. Place the rule file in the same directory as the source code.

ZIP file contents are encrypted with the password "infected" to prevent antivirus products from breaking the rule set and affecting scan results.

The YARA rules file will contain include statements.

Once deployed, the scanner is ready to run. After the scan is complete, the tool generates the collected report results.

About YARA Rules

YARA is configured using default settings and supports switching via the following options:

--disable-magic--disable-cuckoo--enable-dotnet--enable-macho--enable-dex License Agreement

This project was developed and distributed under the GNU Open Source License.

About how to use the intrusion threat indicator IoC scanning tool Spire based on YARA rules to share here, I hope the above content can be of some help to everyone, you can learn more knowledge. If you think the article is good, you can share it so that more people can see it.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.