Addition of Yara Module

docker-compose.yml

@@ -1,6 +1,15 @@
 version: "3"
 
 services:
+  yarasea:
+    image: yarasea
+    build:
+      context: .
+      dockerfile: ./docker/yarasea/Dockerfile
+    networks:
+      lisanet:
+        ipv4_address: 172.42.0.15
+    restart: on-failure
   api:
     image: lisa-api
     build:

docker/yarasea/Dockerfile

@@ -0,0 +1,145 @@
+FROM alpine:3.14
+
+LABEL maintainer "https://github.com/roaldi"
+
+ENV YARA_VERSION 4.1.3
+ENV PATH /usr/local/go/bin:$PATH
+ENV GOPATH /go
+ENV GOLANG_VERSION 1.17.5
+
+RUN set -eux; \
+	apk add --no-cache --virtual .fetch-deps gnupg; \
+	arch="$(apk --print-arch)"; \
+	url=; \
+	case "$arch" in \
+		'x86_64') \
+			export GOARCH='amd64' GOOS='linux'; \
+			;; \
+		'armhf') \
+			export GOARCH='arm' GOARM='6' GOOS='linux'; \
+			;; \
+		'armv7') \
+			export GOARCH='arm' GOARM='7' GOOS='linux'; \
+			;; \
+		'aarch64') \
+			export GOARCH='arm64' GOOS='linux'; \
+			;; \
+		'x86') \
+			export GO386='softfloat' GOARCH='386' GOOS='linux'; \
+			;; \
+		'ppc64le') \
+			export GOARCH='ppc64le' GOOS='linux'; \
+			;; \
+		's390x') \
+			export GOARCH='s390x' GOOS='linux'; \
+			;; \
+		*) echo >&2 "error: unsupported architecture '$arch' (likely packaging update needed)"; exit 1 ;; \
+	esac; \
+	build=; \
+	if [ -z "$url" ]; then \
+# https://github.com/golang/go/issues/38536#issuecomment-616897960
+		build=1; \
+		url='https://dl.google.com/go/go1.17.5.src.tar.gz'; \
+		sha256='3defb9a09bed042403195e872dcbc8c6fae1485963332279668ec52e80a95a2d'; \
+# the precompiled binaries published by Go upstream are not compatible with Alpine, so we always build from source here 😅
+	fi; \
+	\
+	wget -O go.tgz.asc "$url.asc"; \
+	wget -O go.tgz "$url"; \
+	echo "$sha256 *go.tgz" | sha256sum -c -; \
+	\
+# https://github.com/golang/go/issues/14739#issuecomment-324767697
+	GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \
+# https://www.google.com/linuxrepositories/
+	gpg --batch --keyserver keyserver.ubuntu.com --recv-keys 'EB4C 1BFD 4F04 2F6D DDCC  EC91 7721 F63B D38B 4796'; \
+# let's also fetch the specific subkey of that key explicitly that we expect "go.tgz.asc" to be signed by, just to make sure we definitely have it
+	gpg --batch --keyserver keyserver.ubuntu.com --recv-keys '2F52 8D36 D67B 69ED F998  D857 78BD 6547 3CB3 BD13'; \
+	gpg --batch --verify go.tgz.asc go.tgz; \
+	gpgconf --kill all; \
+	rm -rf "$GNUPGHOME" go.tgz.asc; \
+	\
+	tar -C /usr/local -xzf go.tgz; \
+	rm go.tgz; \
+	\
+	if [ -n "$build" ]; then \
+		apk add --no-cache --virtual .build-deps \
+			bash \
+			gcc \
+			go \
+			musl-dev \
+		; \
+		\
+		( \
+			cd /usr/local/go/src; \
+# set GOROOT_BOOTSTRAP + GOHOST* such that we can build Go successfully
+			export GOROOT_BOOTSTRAP="$(go env GOROOT)" GOHOSTOS="$GOOS" GOHOSTARCH="$GOARCH"; \
+			./make.bash; \
+		); \
+		\
+		apk del --no-network .build-deps; \
+		\
+# pre-compile the standard library, just like the official binary release tarballs do
+		go install std; \
+# go install: -race is only supported on linux/amd64, linux/ppc64le, linux/arm64, freebsd/amd64, netbsd/amd64, darwin/amd64 and windows/amd64
+#		go install -race std; \
+		\
+# remove a few intermediate / bootstrapping files the official binary release tarballs do not contain
+		rm -rf \
+			/usr/local/go/pkg/*/cmd \
+			/usr/local/go/pkg/bootstrap \
+			/usr/local/go/pkg/obj \
+			/usr/local/go/pkg/tool/*/api \
+			/usr/local/go/pkg/tool/*/go_bootstrap \
+			/usr/local/go/src/cmd/dist/dist \
+		; \
+	fi; \
+	\
+	apk del --no-network .fetch-deps; \
+	\
+	go version
+
+RUN mkdir -p "$GOPATH/src" "$GOPATH/bin" && chmod -R 777 "$GOPATH"
+
+
+RUN apk add --no-cache openssl file jansson bison python3 tini su-exec
+RUN apk add --no-cache -t .build-deps py3-setuptools \
+  openssl-dev \
+  jansson-dev \
+  python3-dev \
+  build-base \
+  libc-dev \
+  file-dev \
+  automake \
+  autoconf \
+  libtool \
+  flex \
+  git \
+  git \
+  && set -x \
+  && echo "Install Yara from source..." \
+  && cd /tmp/ \
+  && git clone --recursive --branch v$YARA_VERSION https://github.com/VirusTotal/yara.git \
+  && cd /tmp/yara \
+  && ./bootstrap.sh \
+  && sync \
+  && ./configure --with-crypto \
+  --enable-magic \
+  --enable-cuckoo \
+  --enable-dotnet \
+  && make \
+  && make install \    
+  && mkdir /home/yarasea
+
+WORKDIR /home/yarasea
+
+    RUN apk add git pkgconfig \
+    && git clone https://github.com/roaldi/YaraSea && ls -lah 
+
+WORKDIR /home/yarasea/YaraSea
+
+RUN go get github.com/go-git/go-git/v5 \
+    && go build  
+
+COPY ./docker/yarasea/init.sh ./init.sh
+
+CMD ["./init.sh"]

docker/yarasea/init.sh

@@ -0,0 +1,3 @@
+#!/bin/sh
+
+/home/yarasea/YaraSea/YaraSea

lisa/analysis/anomaly.py

@@ -3,7 +3,7 @@
 """
 
 
-class Anomaly():
+class Anomaly:
     """Anomaly base structure.
 
     :param name: Name of anomaly.

lisa/analysis/network_analysis.py

@@ -41,7 +41,7 @@ def is_ip_blacklisted(ipaddr):
         mid = low + (high - low) // 2
         ipmid = ipblacklist[mid]
 
-        if ip >= ipmid[0] and ip <= ipmid[1]:
+        if ipmid[0] <= ip <= ipmid[1]:
             return True
         elif ip < ipmid[0]:
             high = mid - 1
@@ -60,11 +60,11 @@ def is_ip_local(ipaddr):
     ip = int(ipaddress.ip_address(ipaddr))
 
     # 10.x.x.x
-    if ip >= 167772160 and ip < 184549376:
+    if 167772160 <= ip < 184549376:
         return True
 
     # 172.16.0.0 – 172.31.255.255
-    if ip >= 2886729728 and ip < 2887778304:
+    if 2886729728 <= ip < 2887778304:
         return True
 
     # 192.168.x.x

lisa/analysis/static_analysis.py

@@ -27,7 +27,7 @@ def run_analysis(self):
         log.info('Static Analysis started.')
 
         # start radare2
-        self._r2 = r2pipe.open(self._file.path, ['-2'])
+        self._r2 = r2pipe.open(self._file.path)
         self._r2.cmd('aaa')
 
         # binary info
@@ -59,8 +59,8 @@ def _r2_info(self):
             'language': info['bin']['lang'],
             'stripped': info['bin']['stripped'],
             'relocations': info['bin']['relocs'],
-            'min_opsize': info['bin']['minopsz'],
-            'max_opsize': info['bin']['maxopsz'],
+            'min_opsize': info['core']['minopsz'],
+            'max_opsize': info['core']['maxopsz'],
             'entry_point': entry_point[0]['vaddr']
         }
 

lisa/analysis/top_level.py

@@ -29,7 +29,7 @@ def create_analyzer(analyzer_path, file_path):
     return analyzer_class(file_path)
 
 
-class Master():
+class Master:
     """Top level analyzer of binary files.
 
     :param file_path: Path to binary file.

lisa/analysis/yara_scan.py

@@ -0,0 +1,52 @@
+import yara
+
+
+class YaraScan:
+    # https://yara.readthedocs.io/en/stable/yarapython.html
+    def __init__(self, path):
+        """
+        param path: absolute path to rules
+        """
+        is_compiled = self.is_compiled_rules(path)
+        if not is_compiled:
+            # Load rules from file and compile
+            self.rules = yara.compile(filepath=path)
+        else:
+            # Load compiled rules to memory
+            self.rules = yara.load(path)
+        self.__rule_matched = ""
+
+    def is_compiled_rules(self, path):
+        """
+        Check if uploaded yara rule is compiled rule or string
+        param path: absolute path to rules
+        """
+        yara_file_magic = b"YARA"
+        with open(path, "rb") as read_header:
+            if read_header.read(4) == yara_file_magic:
+                return True
+        # FIXME if reading the file returns error?
+        return False
+
+    def scan_callback(self, data):
+        if data["matches"]:
+            print(data)  # TODO use logging instead
+            self.__rule_matched = data
+            return yara.CALLBACK_ABORT
+        return yara.CALLBACK_CONTINUE
+
+    def scan_file(self, file_path):
+        self.rules.match(filepath=file_path, callback=self.scan_callback)
+
+    def scan_process(self, pid):
+        self.rules.match(pid=pid, callback=self.scan_callback)
+
+    def get_scan_result(self):
+        """
+        Allow other classes to get the scan result
+        Clean the result after it was called
+        Remove data to avoid wrong result in cache
+        """
+        result = self.__rule_matched
+        self.__rule_matched = ""
+        return result