feature request : be able to select specific file extensions in yara

[emmanubo]

there are scenarios where only specific file extensions needs to be scanned.
So, I've added an option (--exts) in order to specify which file extensions should be scanned in my custom yara build :

yara64.exe -C webshells.bin . --exts=.asp/.aspx/.dll/.jsp/.php

I would like to know if this is something that is planned in the feature list. If needed, I can share the code I'm currently using (I'm new to github).

Thanks!

Emmanuel

[tlansec]

Hello,

I would suggest that this is done outside of YARA. To do this you could:

1. precompile rules
2. find files of correct extension using external method such as "dir /S /B *.asp"
3. run yara against each file in file list using precompiled ruleset (to avoid recompiling each time) using " --scan-list"

Cheers,
Tom

[emmanubo]

Hello Tom,

my team is performing incident response. We need to limit process creation (which would occur if we run yara after performing some file filtering). In adition, we are commonly scanning directories with millions of files. I've already implemened the needed feature. I think it may be usefull for other people too.
I've created the following pull request related to this : #1314

Thanks,

Emmanuel

[tlansec]

Hi,

OK, but if you use "--scan-list" as I suggest, it does not create millions of processes, it creates one process.

Cheers,
Tom

[emmanubo]

Hello Tom,

this only address part of the issue : filelist must be created first (we want to avoid writing any file to disk) and we ended up to scan directories twice.

Cheers,

Emmanuel

[DanielRuf]

I face the same problem. Currently I have to create, filter and prove a filelist to skip only a few but rather small or irrelevant files (like txt, zip and so on).

How can we bring this feature request forward?
Or do we users have to manually patch our own yara binaries?

[Jwalker107]

Perhaps a solution to allow --scan-list to read from stdin rather than a file?

I'm concerned that building a scan-list file could require generating a sizeable file when listing directories or files from large disks, but allowing --scan-list to read from stdin rather than a file opens many scenarios to read piped input from 'find' or 'dir' or higher-level scripts.

[Jwalker107]

For what it's worth, I have a local workaround using 'mkfifo' to create a circular buffer file that is then the input for --scan-list.
Here I create the /tmp/listing_file.txt, which will be populated by the output of multiple 'find' commands, and read as an input by yara. This allows using 'find' to perform all the filtering, stick within a device, etc.

LISTING_FILE=/tmp/listing_file.txt
rm -f $LISTING_FILE
mkfifo $LISTING_FILE

(
for j in `df -l --output=target -x tmpfs -x devtmpfs | sed 1d`
 do  find $j -xdev -not \( -path "/proc" -prune \) -not \( -path "/dev" -prune \)
done
)   > $LISTING_FILE &


/bin/yara -C /var/opt/yara-signatures/OpenSSL_3_lower_307.yarc --scan-list $LISTING_FILE --print-strings --no-follow-symlinks