日韩无码专区无码一级三级片|91人人爱网站中日韩无码电影|厨房大战丰满熟妇|AV高清无码在线免费观看|另类AV日韩少妇熟女|中文日本大黄一级黄色片|色情在线视频免费|亚洲成人特黄a片|黄片wwwav色图欧美|欧亚乱色一区二区三区

關(guān)于yaraQA

yaraQA是一款功能強(qiáng)大的Yara規(guī)則分析工具，在該工具的幫助下，廣大研究人員可以輕松提升Yara規(guī)則的質(zhì)量和性能。

很多Yara規(guī)則可能在語(yǔ)法上是正確的，但功能很可能仍然存在問題。而yaraQA則會(huì)試圖找到這些問題并將其報(bào)告給YARA規(guī)則集的開發(fā)者或維護(hù)者。

yaraQA的功能

yaraQA會(huì)嘗試檢測(cè)下列問題：

1、語(yǔ)法正確，但由于條件中的錯(cuò)誤，從而導(dǎo)致不匹配的規(guī)則；

2、使用可能錯(cuò)誤的字符串和修飾符組合的規(guī)則（例如$ = "\\Debug\\" fullword）；

3、由短原子、重復(fù)字符或循環(huán)引起的性能問題（例如$ = "AA"; 可以使用--ignore-performance從分析中排除）；

工具安裝

由于該工具基于Python 3開發(fā)，因此我們首先需要在本地設(shè)備上安裝并配置好Python 3環(huán)境。接下來(lái)，廣大研究人員可以使用下列命令將該項(xiàng)目源碼克隆至本地：

git clone https://github.com/Neo23x0/yaraQA.git

然后切換到項(xiàng)目目錄中，使用pip工具和項(xiàng)目提供的requirements.txt文件安裝該工具所需的其他依賴組件：

cd yaraQA/

pip install -r requirements.txt

工具使用幫助

usage: yaraQA.py [-h] [-f yara files [yara files ...]] [-d yara files [yara files ...]] [-o outfile] [-b baseline] [-l level]

                 [--ignore-performance] [--debug]

 

YARA RULE ANALYZER

 

optional arguments:

  -h, --help            顯示工具幫助信息和退出

  -f yara files [yara files ...]

                        輸入文件路徑（一個(gè)或多個(gè)Yara規(guī)則，由空格分隔）

  -d yara files [yara files ...]

                        輸入目錄路徑（Yara規(guī)則目錄，由空格分隔）

  -o outfile          分析結(jié)果輸出文件（JSON格式，默認(rèn)為'yaraQA-issues.json'）

  -b baseline          使用一個(gè)問題基線來(lái)過濾分析結(jié)果中的問題

  -l level               要顯示的最低級(jí)別（1=基本信息, 2=警告, 3=嚴(yán)重）

  --ignore-performance   屏蔽與性能相關(guān)的規(guī)則問題

  --debug               調(diào)試模式輸出

工具使用樣例

python3 yaraQA.py -d ./test/

屏蔽所有性能相關(guān)的問題，僅顯示邏輯問題：

python3 yaraQA.py -d ./test/ --ignore-performance

屏蔽所有信息性字符問題：

python3 yaraQA.py -d ./test/ -level 2

使用一個(gè)基線，僅顯示新的問題，基線文件需要是一個(gè).json文件：

python3 yaraQA.py -d ./test/ -b yaraQA-reviewed-issues.json

工具輸出

yaraQA會(huì)將檢測(cè)到的問題寫入一個(gè)名為yaraQA-issues.json的文件中。

下面給出的是yaraQA生成的JSON格式結(jié)果：

[

    {

        "rule": "Demo_Rule_1_Fullword_PDB",

        "id": "SM1",

        "issue": "The rule uses a PDB string with the modifier 'wide'. PDB strings are always included as ASCII strings. The 'wide' keyword is unneeded.",

        "element": {

            "name": "$s1",

            "value": "\\\\i386\\\\mimidrv.pdb",

            "type": "text",

            "modifiers": [

                "ascii",

                "wide",

                "fullword"

            ]

        },

        "level": "info",

        "type": "logic",

        "recommendation": "Remove the 'wide' modifier"

    },

    {

        "rule": "Demo_Rule_1_Fullword_PDB",

        "id": "SM2",

        "issue": "The rule uses a PDB string with the modifier 'fullword' but it starts with two backslashes and thus the modifier could lead to a dysfunctional rule.",

        "element": {

            "name": "$s1",

            "value": "\\\\i386\\\\mimidrv.pdb",

            "type": "text",

            "modifiers": [

                "ascii",

                "wide",

                "fullword"

            ]

        },

        "level": "warning",

        "type": "logic",

        "recommendation": "Remove the 'fullword' modifier"

    },

    {

        "rule": "Demo_Rule_2_Short_Atom",

        "id": "PA2",

        "issue": "The rule contains a string that turns out to be a very short atom, which could cause a reduced performance of the complete rule set or increased memory usage.",

        "element": {

            "name": "$s1",

            "value": "{ 01 02 03 }",

            "type": "byte"

        },

        "level": "warning",

        "type": "performance",

        "recommendation": "Try to avoid using such short atoms, by e.g. adding a few more bytes to the beginning or the end (e.g. add a binary 0 in front or a space after the string). Every additional byte helps."

    },

    {

        "rule": "Demo_Rule_3_Fullword_FilePath_Section",

        "id": "SM3",

        "issue": "The rule uses a string with the modifier 'fullword' but it starts and ends with two backslashes and thus the modifier could lead to a dysfunctional rule.",

        "element": {

            "name": "$s1",

            "value": "\\\\ZombieBoy\\\\",

            "type": "text",

            "modifiers": [

                "ascii",

                "fullword"

            ]

        },

        "level": "warning",

        "type": "logic",

        "recommendation": "Remove the 'fullword' modifier"

    },

    {

        "rule": "Demo_Rule_4_Condition_Never_Matches",

        "id": "CE1",

        "issue": "The rule uses a condition that will never match",

        "element": {

            "condition_segment": "2 of",

            "num_of_strings": 1

        },

        "level": "error",

        "type": "logic",

        "recommendation": "Fix the condition"

    },

    {

        "rule": "Demo_Rule_5_Condition_Short_String_At_Pos",

        "id": "PA1",

        "issue": "This rule looks for a short string at a particular position. A short string represents a short atom and could be rewritten to an expression using uint(x) at position.",

        "element": {

            "condition_segment": "$mz at 0",

            "string": "$mz",

            "value": "MZ"

        },

        "level": "warning",

        "type": "performance",

        "recommendation": ""

    },

    {

        "rule": "Demo_Rule_5_Condition_Short_String_At_Pos",

        "id": "PA2",

        "issue": "The rule contains a string that turns out to be a very short atom, which could cause a reduced performance of the complete rule set or increased memory usage.",

        "element": {

            "name": "$mz",

            "value": "MZ",

            "type": "text",

            "modifiers": [

                "ascii"

            ]

        },

        "level": "warning",

        "type": "performance",

        "recommendation": "Try to avoid using such short atoms, by e.g. adding a few more bytes to the beginning or the end (e.g. add a binary 0 in front or a space after the string). Every additional byte helps."

    },

    {

        "rule": "Demo_Rule_6_Condition_Short_Byte_At_Pos",

        "id": "PA1",

        "issue": "This rule looks for a short string at a particular position. A short string represents a short atom and could be rewritten to an expression using uint(x) at position.",

        "element": {

            "condition_segment": "$mz at 0",

            "string": "$mz",

            "value": "{ 4d 5a }"

        },

        "level": "warning",

        "type": "performance",

        "recommendation": ""

    },

    {

        "rule": "Demo_Rule_6_Condition_Short_Byte_At_Pos",

        "id": "PA2",

        "issue": "The rule contains a string that turns out to be a very short atom, which could cause a reduced performance of the complete rule set or increased memory usage.",

        "element": {

            "name": "$mz",

            "value": "{ 4d 5a }",

            "type": "byte"

        },

        "level": "warning",

        "type": "performance",

        "recommendation": "Try to avoid using such short atoms, by e.g. adding a few more bytes to the beginning or the end (e.g. add a binary 0 in front or a space after the string). Every additional byte helps."

    },

    {

        "rule": "Demo_Rule_6_Condition_Short_Byte_At_Pos",

        "id": "SM3",

        "issue": "The rule uses a string with the modifier 'fullword' but it starts and ends with two backslashes and thus the modifier could lead to a dysfunctional rule.",

        "element": {

            "name": "$s1",

            "value": "\\\\Section\\\\in\\\\Path\\\\",

            "type": "text",

            "modifiers": [

                "ascii",

                "fullword"

            ]

        },

        "level": "warning",

        "type": "logic",

        "recommendation": "Remove the 'fullword' modifier"

    }

]

包含問題的規(guī)則樣例

項(xiàng)目專門提供了包含問題的規(guī)則樣例，可以在./test目錄中找到。

工具運(yùn)行截圖

許可證協(xié)議

本項(xiàng)目的開發(fā)與發(fā)布遵循GPL-3.0開源許可證協(xié)議。

本文題目：如何使用yaraQA提升Yara規(guī)則的質(zhì)量和性能
標(biāo)題來(lái)源：http://www.5511xx.com/article/cohiijc.html