Yara analyser

Hi all,

This is not really a question, more just to see if anybody had any strong opinions, or good suggestions about how to integrate yard into bro. I read something on this mailing list about integrating bro with yara, and hadn’t seen anything since so I’ve developed a yara analyser for bro.
https://github.com/hempnall/broyara.

The code seems to work well for small pcaps - but I wondered about memory exhaustion using std::ostringstream to store files in larger deployments. I just wondered whether this was something that you might consider including in the bro source - i’d be happy to tidy it up if there was enough enthusiasm.

This only took me about three hours - (thanks to Bro’s extensibility and Yara’s excellent docs)

Regards

James

Unfortunately that’s unlikely to work well on live traffic and it could be abused easily. I’ve actually spent quite a bit of time on making some API updates to Yara to introduce an incremental API and I have a Yara analyzer laying around somewhere that uses the incremental API (it only took about an hour to create the analyzer after I made the API extension in Yara).

I’ve been in contact a bit with Victor Alvarez about getting an incremental analysis API into Yara and I showed him my code. He responded well but he hasn’t merged my code or update his to add an incremental API yet. I’ll follow up with him again soon to get his thoughts on it.

In case anyone here wants to take a look at what I’ve done, you can see my Yara branch with an incremental API here:
  https://github.com/sethhall/yara/tree/incremental-parsing

  .Seth