This takes the liklely name of the YARA rule you want to run and search to see if it can find that rule or set of rules and runs a YARA scan on the specified path.
Works on LINUX MAC and WINDOWS
/********************************************************************************************\
| We will refrence the public GIT Repo for Yara rules at https://github.com/Yara-Rules/rules |
| The GIT repo is activily being updated and we want access to current published rules so |
| we will first get the index of rules and see which of those match our desired rule name |
| With the list of yara files that match what we are looking for we will then pull the |
| signature rule for each of them and execute a YARA search for each rule in the target file |
| path selected by the admin. The current repo has only 480 rules in it. |
\********************************************************************************************/
-- YARA SCANNER FROM ON-LINE YARA RULES GIT REPO
-- VARIABLE $$Search File Path$$ FILE PATH
-- VARIABLE $$Yara rule file name$$ STRING
WITH RECURSIVE
-- Build a counter from 1 to 500
Counter(x) AS (VALUES (1) UNION ALL SELECT x+1 FROM Counter WHERE x < 500),
-- GET THE index of rules from the GIT REPO
Index_File(index_of_rules) AS (
SELECT REPLACE(REPLACE(result,'include ".',''),'"','')
FROM curl
WHERE url = 'https://raw.githubusercontent.com/Yara-Rules/rules/master/index.yar'
),
-- Build a list of the yara rules files from the public git repo based on the current index of rules
Rule_Files(Yara_Rule_URL) AS (
SELECT SPLIT(index_of_rules,CHAR(10),x) Yara_Rule_URL
FROM Index_file, Counter
WHERE Yara_Rule_URL LIKE '%$$Yara rule file name$$%'
),
-- Get the relevant YARA Signature Rules
Signature_Rules(Yara_Rule_URL, Yara_Sig_Rule ) AS (
SELECT Yara_Rule_URL, CAST('/*'||Yara_Rule_URL||'*/'||result AS TEXT) -- Insert the URL for the RULE into the Rule (HACK) We need it for the displayed results
FROM Rule_Files
JOIN curl ON url = 'https://raw.githubusercontent.com/Yara-Rules/rules/master/'||Yara_Rule_URL
)
SELECT
replace(replace(path, rtrim(path, replace(path, '/', '')), ''), rtrim(replace(path, rtrim(path, replace(path, '/', '')), ''), replace(replace(path, rtrim(path, replace(path, '/', '')), ''), '\', '')), '') File_Name,
matches,
count,
path,
replace(SPLIT(sigrule,'*\',1), rtrim(SPLIT(sigrule,'*\',1), replace(SPLIT(sigrule,'*\',1), '/', '')), '') YARA_File,
'https://raw.githubusercontent.com/Yara-Rules/rules/master/'||SPLIT(sigrule,'*\\',1) YARA_Rule_URL
FROM yara WHERE Path LIKE '$$Search File Path$$' AND sigrule IN (SELECT Yara_Sig_Rule FROM Signature_Rules)
ORDER BY count DESC, matches ASC, YARA_File ASC, File_Name ASC
