search for: yara_destroy

The yara_destroy API allows to claim resources back via the removal of the previously loaded Yara rules. Signed-off-by: Matteo Cafasso <noxdafox@gmail.com> --- daemon/yara.c | 14 ++++++++++++++ generator/actions_yara.ml | 8 ++++++++ generator/proc_nr.ml | 1 + lib/MAX_PROC_NR...

...the User is recommended to use the yarac tool. This makes the yara_load API more similar to the yara workflow. - further small fixes according to the v5 comments After further Matteo Cafasso (7): daemon: expose file upload logic appliance: add yara dependency New API: yara_load New API: yara_destroy New API: internal_yara_scan New API: yara_scan yara_scan: added API tests appliance/packagelist.in | 4 + configure.ac | 1 + daemon/Makefile.am | 4 +- daemon/cleanups.c | 9 + daemon/cleanups....

v9: - fixes according to comments Matteo Cafasso (7): daemon: expose file upload logic appliance: add yara dependency New API: yara_load New API: yara_destroy New API: internal_yara_scan New API: yara_scan yara_scan: added API tests appliance/packagelist.in | 4 + configure.ac | 1 + daemon/Makefile.am | 4 +- daemon/cleanups.c | 9 + daemon/cleanups....

...g engine aimed to help malware analysts in finding and classifying interesting samples. https://github.com/VirusTotal/yara This series adds Yara support to Libguestfs allowing to upload sets of rules and scanning files against them. Currently provided APIs: - yara_load: loads a set of rules - yara_destroy: free resources allocated by loaded rules - yara_scan: scans a file with the loaded rules Future APIs: - yara_scan_recursive: scan the entire FS starting from the given point (could it be a flag in yara_scan?) - yara_scan_inode: use TSK to scan files by inodes allowing to scan deleted or hidde...

v5: - rebase on top of 1.37.9 - add missing actions_yara.* files Matteo Cafasso (7): daemon: expose file upload logic appliance: add yara dependency New API: yara_load New API: yara_destroy New API: internal_yara_scan New API: yara_scan yara_scan: added API tests appliance/packagelist.in | 4 + configure.ac | 1 + daemon/Makefile.am | 4 +- daemon/cleanups.c | 9 + daemon/cleanups....

v8: - Ignore returned value in daemon/upload.c - Report serialization errors in lib/yara.c Matteo Cafasso (8): daemon: ignore unused return value in upload function daemon: expose file upload logic appliance: add yara dependency New API: yara_load New API: yara_destroy New API: internal_yara_scan New API: yara_scan yara_scan: added API tests appliance/packagelist.in | 4 + configure.ac | 1 + daemon/Makefile.am | 4 +- daemon/cleanups.c | 9 + daemon/cleanups....

v7: - Fixes according to comments - Rebase on top of 1.37.12 Matteo Cafasso (7): daemon: expose file upload logic appliance: add yara dependency New API: yara_load New API: yara_destroy New API: internal_yara_scan New API: yara_scan yara_scan: added API tests appliance/packagelist.in | 4 + configure.ac | 1 + daemon/Makefile.am | 4 +- daemon/cleanups.c | 9 + daemon/cleanups....

Rebase patches on top of 1.37.1. No changes since last series. Matteo Cafasso (7): daemon: expose file upload logic appliance: add yara dependency New API: yara_load New API: yara_destroy New API: internal_yara_scan New API: yara_scan yara_scan: added API tests appliance/packagelist.in | 4 + configure.ac | 1 + daemon/Makefile.am | 4 +- daemon/cleanups.c | 9 + daemon/cleanups....

v3: - allow to load multiple rule files - added optional namespace parameter to yara_load - move destructor logic in yara module - use generic file upload logic - use generic temporary path function Matteo Cafasso (6): appliance: add yara dependency New API: yara_load New API: yara_destroy New API: internal_yara_scan New API: yara_scan yara_scan: added API tests appliance/packagelist.in | 4 + configure.ac | 1 + daemon/Makefile.am | 4 +- daemon/cleanups.c | 9 + daemon/cleanups....

...t char *, void *); static void cleanup_destroy_yara_compiler (void *ptr); +static int yara_rules_callback (int , void *, void *); +static int send_detection_info (const char *, YR_RULE *); /* Has one FileIn parameter. * Takes optional arguments, consult optargs_bitmask. @@ -125,6 +127,38 @@ do_yara_destroy (void) return 0; } +/* Has one FileOut parameter. */ +int +do_internal_yara_scan (const char *path) +{ + int r = 0; + CLEANUP_CLOSE int fd = -1; + + if (rules == NULL) { + reply_with_error ("no yara rules loaded"); + return -1; + } + + CHROOT_IN; + fd = open (path, O_RDON...

...t char *, void *); static void cleanup_destroy_yara_compiler (void *ptr); +static int yara_rules_callback (int , void *, void *); +static int send_detection_info (const char *, YR_RULE *); /* Has one FileIn parameter. * Takes optional arguments, consult optargs_bitmask. @@ -121,6 +123,38 @@ do_yara_destroy (void) return 0; } +/* Has one FileOut parameter. */ +int +do_internal_yara_scan (const char *path) +{ + int ret = 0; + CLEANUP_CLOSE int fd = -1; + + if (rules == NULL) { + reply_with_error ("no yara rules loaded"); + return -1; + } + + CHROOT_IN; + fd = open (path, O_RD...

...t char *, void *); static void cleanup_destroy_yara_compiler (void *ptr); +static int yara_rules_callback (int , void *, void *); +static int send_detection_info (const char *, YR_RULE *); /* Has one FileIn parameter. * Takes optional arguments, consult optargs_bitmask. @@ -119,6 +121,38 @@ do_yara_destroy (void) return 0; } +/* Has one FileOut parameter. */ +int +do_internal_yara_scan (const char *path) +{ + int ret = 0; + CLEANUP_CLOSE int fd = -1; + + if (rules == NULL) { + reply_with_error ("no yara rules loaded"); + return -1; + } + + CHROOT_IN; + fd = open (path, O_RD...

Rebase patches on top of 1.35.25. No changes since last series. Matteo Cafasso (7): daemon: expose file upload logic appliance: add yara dependency New API: yara_load New API: yara_destroy New API: internal_yara_scan New API: yara_scan yara_scan: added API tests appliance/packagelist.in | 4 + configure.ac | 1 + daemon/Makefile.am | 4 +- daemon/cleanups.c | 9 + daemon/cleanups....

...yara_load API - Fix libyara initialization and finalization - Import CLEANUP_FCLOSE - Add custom CLEANUP_DESTROY_YARA_COMPILER - Add rules compilation error callback - Other small fixes according to comments Matteo Cafasso (6): appliance: add yara dependency New API: yara_load New API: yara_destroy New API: internal_yara_scan New API: yara_scan yara_scan: added API tests appliance/packagelist.in | 4 + configure.ac | 1 + daemon/Makefile.am | 4 +- daemon/cleanups.c | 28 +++ daemon/cleanup...

...s */\n" | RHashtable _ -> assert false | RBufferOut _ -> assert false ); diff --git a/generator/proc_nr.ml b/generator/proc_nr.ml index 1b0feae87..dec02f5fa 100644 --- a/generator/proc_nr.ml +++ b/generator/proc_nr.ml @@ -483,6 +483,7 @@ let proc_nr = [ 473, "yara_destroy"; 474, "internal_yara_scan"; 475, "file_architecture"; +476, "list_filesystems"; ] (* End of list. If adding a new entry, add it at the end of the list diff --git a/lib/MAX_PROC_NR b/lib/MAX_PROC_NR index 7573eff88..b86395733 100644 --- a/lib/MAX_PROC_NR ++...

...same thing. "part_get_gpt_attributes" "part_set_gpt_attributes" Read and write GPT partition attribute flags (Cédric Bosdonnat). "part_resize" Enlarge or shrink an existing partition (Nikos Skalkotos). "yara_destroy" "yara_load" "yara_scan" Support for the Yara malware scanning engine (Matteo Cafasso). Other API changes APIs implemented in the daemon can now be written in either C or OCaml. Several APIs were rewritten in OCaml, although w...

...of the associated +initrd or kernel module(s) instead. + +=back" }; + ] diff --git a/generator/proc_nr.ml b/generator/proc_nr.ml index c7619638a..1b0feae87 100644 --- a/generator/proc_nr.ml +++ b/generator/proc_nr.ml @@ -482,6 +482,7 @@ let proc_nr = [ 472, "yara_load"; 473, "yara_destroy"; 474, "internal_yara_scan"; +475, "file_architecture"; ] (* End of list. If adding a new entry, add it at the end of the list diff --git a/lib/MAX_PROC_NR b/lib/MAX_PROC_NR index 5f3bb9813..7573eff88 100644 --- a/lib/MAX_PROC_NR +++ b/lib/MAX_PROC_NR @@ -1 +1 @@ -474...

v2 was here: https://www.redhat.com/archives/libguestfs/2017-June/msg00008.html This series gets as far as a working (and faster) reimplementation of ‘guestfs_list_filesystems’. I also have another patch series on top of this one which reimplements the inspection APIs inside the daemon, but that needs a bit more work still, since inspection turns out to be a very large piece of code. Rich.

I think this fixes everything mentioned: - Added the Optgroups module as suggested. - Remove command temporary files. - Replace command ~flags with ?fold_stdout_on_stderr. - Nest _with_mounted function. - Rebase & retest. Rich.

v1 was posted here: https://www.redhat.com/archives/libguestfs/2017-July/msg00098.html This series now depends on two small patches which I posted separately: https://www.redhat.com/archives/libguestfs/2017-July/msg00207.html https://www.redhat.com/archives/libguestfs/2017-July/msg00209.html v1 -> v2: - Previously changes to generator/daemon.ml were made incrementally through the patch