Addon that utilize yarGen to auto-generate yara rule from given sample
this is a quick and dirty poc to use yarGen with Cuckoo to auto-generate yara rules from given sample. currently this generates a rule for the submited sample, without opcodes, i didnt make it work with the dropped files.
-
git clone https://github.com/Neo23x0/yarGen.git
-
cat conf-extra/auxiliary.conf >> conf/auxiliary.conf
or manually add to your aux... the following lines:
[yaragen] enabled = yes
(this probably shouldnt be aux module, but it works)
-
copy yaragen.py to cuckoo/modules/auxiliary
-
change the paths in yaragen.py to your enviroment (/data/cuckoo/... )
-
add the following line to /web/web/urls.py (i'm quite sure this doesnt work as it should)
url(r"^yara/(?P<task_id>\w+)/(?P([a-fA-F\d]{32}))/$", "analysis.views.filereport"),
-
add the following to /web/templates/analysis/reports/index.html (in a perfect scenario the if statement should contain "config.yaragen" but i didnt do it)
{% if config.jsondump %} Yara Rules <a class="btn btn-primary btn-small" href="{% url "analysis.views.filereport" analysis.info.id "yara" %}">Download {% endif %}
-
add the following line under the function "def filereport(request, task_id, category):" in the file /web/analysis/views.py
"yara": "report.yara",
=====================
now after you submit a sample it will run yarGen simultaniusly with the cuckoo analysis. the end result is is a report.yara file under the reports folder in the storage location. the file can be downloaded from the reports tab in the web intreface if you followed steps 5-7