similar to: Linux malware attack

On Wednesday, 9 November 2016 22:38:55 CET Matteo Cafasso wrote: > The internal_yara_scan runs the Yara engine with the previously loaded > rules against the given file. > > For each rule matching against the scanned file, a struct containing > the file name and the rule identifier is returned. > > The gathered list of yara_detection structs is serialised into XDR format

Yara is a rule based scanning engine aimed to help malware analysts in finding and classifying interesting samples. https://github.com/VirusTotal/yara This series adds Yara support to Libguestfs allowing to upload sets of rules and scanning files against them. Currently provided APIs: - yara_load: loads a set of rules - yara_destroy: free resources allocated by loaded rules - yara_scan:

v3: - allow to load multiple rule files - added optional namespace parameter to yara_load - move destructor logic in yara module - use generic file upload logic - use generic temporary path function Matteo Cafasso (6): appliance: add yara dependency New API: yara_load New API: yara_destroy New API: internal_yara_scan New API: yara_scan yara_scan: added API tests

v2: - Fix yara dependency in packagelist - Use pkg-config where available - Improve longdesc of yara_load API - Fix libyara initialization and finalization - Import CLEANUP_FCLOSE - Add custom CLEANUP_DESTROY_YARA_COMPILER - Add rules compilation error callback - Other small fixes according to comments Matteo Cafasso (6): appliance: add yara dependency New API: yara_load New API:

Rebase patches on top of 1.35.25. No changes since last series. Matteo Cafasso (7): daemon: expose file upload logic appliance: add yara dependency New API: yara_load New API: yara_destroy New API: internal_yara_scan New API: yara_scan yara_scan: added API tests appliance/packagelist.in | 4 + configure.ac | 1 + daemon/Makefile.am

v9: - fixes according to comments Matteo Cafasso (7): daemon: expose file upload logic appliance: add yara dependency New API: yara_load New API: yara_destroy New API: internal_yara_scan New API: yara_scan yara_scan: added API tests appliance/packagelist.in | 4 + configure.ac | 1 + daemon/Makefile.am | 4 +-

On Tuesday, 22 November 2016 19:41:10 CET noxdafox wrote: > > yara_load supports loading rules already compiled, which could have a > > namespace set -- I guess it should be reported here as well. > The namespace is accessible via the YR_RULE struct: > https://github.com/VirusTotal/yara/blob/master/libyara/include/yara/types.h#L242 > > Yet is nowere to be found in the C

v6: - use new test functions - fix yara_detection struct field names - revert yara_load function to initial version With Pino we were exploring the idea of allowing Users to load multiple rule files with subsequent calls to yara_load API. https://www.redhat.com/archives/libguestfs/2016-November/msg00119.html It turns out impractical due to YARA API limitations. It is possible to load multiple

On Wednesday, 9 November 2016 22:38:53 CET Matteo Cafasso wrote: > The yara_load API allows to load a set of Yara rules contained within a > file on the host. > > Rules can be in binary format, as when compiled with yarac command, or > in source code format. In the latter case, the rules will be first > compiled and then loaded. > > Subsequent calls of the yara_load API

v8: - Ignore returned value in daemon/upload.c - Report serialization errors in lib/yara.c Matteo Cafasso (8): daemon: ignore unused return value in upload function daemon: expose file upload logic appliance: add yara dependency New API: yara_load New API: yara_destroy New API: internal_yara_scan New API: yara_scan yara_scan: added API tests appliance/packagelist.in

Rebase patches on top of 1.37.1. No changes since last series. Matteo Cafasso (7): daemon: expose file upload logic appliance: add yara dependency New API: yara_load New API: yara_destroy New API: internal_yara_scan New API: yara_scan yara_scan: added API tests appliance/packagelist.in | 4 + configure.ac | 1 + daemon/Makefile.am

On Tue, Dec 10, 2019 at 09:19:47AM +0100, Luis wrote: > I am using libguestfs 1.40.2 and yara 3.11.0 but when I execute my program > it thoughts the following error: > > $> ./yara-guestfs > libguestfs: error: yara_load: feature 'libyara' is not available in this > build of libguestfs. Read 'AVAILABILITY' in the guestfs(3) man page for > > If we check

v5: - rebase on top of 1.37.9 - add missing actions_yara.* files Matteo Cafasso (7): daemon: expose file upload logic appliance: add yara dependency New API: yara_load New API: yara_destroy New API: internal_yara_scan New API: yara_scan yara_scan: added API tests appliance/packagelist.in | 4 + configure.ac | 1 + daemon/Makefile.am

v7: - Fixes according to comments - Rebase on top of 1.37.12 Matteo Cafasso (7): daemon: expose file upload logic appliance: add yara dependency New API: yara_load New API: yara_destroy New API: internal_yara_scan New API: yara_scan yara_scan: added API tests appliance/packagelist.in | 4 + configure.ac | 1 + daemon/Makefile.am

2017-02-20 12:26 GMT+02:00 Daniel P. Berrange <berrange@redhat.com>: > On Sun, Feb 19, 2017 at 07:09:51PM +0200, Matteo Cafasso wrote: > > Rebase patches on top of 1.35.25. > > > > No changes since last series. > > Can you explain the motivation behind adding the APis to libguestfs ? > > Since the libguestfs VM is separate from the real VM, it can't >

Sorry Richard. Now I will attach you debug file. El 21/12/2019 a las 16:38, Luis Fueris escribió: > > Hi Richard. > > Few days ago, I installed libyara a libguestfs properly. But when I > load a yara rule and scan it via guestfs_yara_scan, my binary > throughts following error: > > libguestfs: error: deserialise_yara_detection_list: Success > > And function exists

ESET recently published an interesting post-mortem of the so-called "Operation Windigo" malware campaign [1]. OpenSSH backdoors (codename Linux/Ebury), described by ESET last month [2], are a key component of Windigo's attack surface. --mancha [1] http://www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf [2]

hi there say that i have this table >x<-table(adoc, oarb) >x oarb 0 1 adoc ab 1 0 am 5 1 ba 14 1 cc 271 3 ch 87 2 dz 362 6 fl 7 0 fs 84 2 is there an easy way to get the row names or row

Signed-off-by: Matteo Cafasso <noxdafox@gmail.com> --- configure.ac | 1 + tests/yara/Makefile.am | 26 ++++++++++++++++ tests/yara/test-yara-scan.sh | 72 ++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 99 insertions(+) create mode 100644 tests/yara/Makefile.am create mode 100755 tests/yara/test-yara-scan.sh diff --git a/configure.ac b/configure.ac

Signed-off-by: Matteo Cafasso <noxdafox@gmail.com> --- configure.ac | 1 + tests/yara/Makefile.am | 26 +++++++++++++++++++ tests/yara/test-yara-scan.sh | 61 ++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 88 insertions(+) create mode 100644 tests/yara/Makefile.am create mode 100755 tests/yara/test-yara-scan.sh diff --git a/configure.ac