Thanks to visit codestin.com
Credit goes to github.com

Skip to content

bad-antics/nullsec-yara

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
 
 
 
 
 
 
 
 

Repository files navigation

NullSec YARA

Clojure pattern matching engine demonstrating immutable data and functional programming.

Features

  • Immutable Data - Thread-safe by design
  • Lazy Sequences - Memory-efficient file scanning
  • Persistent Collections - Efficient structural sharing
  • REPL Development - Interactive rule testing
  • Pattern Matching - Hex, ASCII, and regex patterns

Built-in Rules

ID Name Severity Description
MAL001 Suspicious PE High PE file indicators
MAL002 Packed Executable Medium UPX packing
MAL003 Shellcode Pattern Critical Common shellcode
STR001 Suspicious URLs Medium C2/malicious URLs
STR002 Crypto Wallet Medium Wallet addresses
CMD001 Suspicious Commands High Malicious commands
CRED001 Hardcoded Creds High Passwords/API keys
NET001 Network Indicators Low Network functions

Build

# With Leiningen
lein uberjar

# Run
java -jar target/uberjar/nullsec-yara-1.0.0-standalone.jar

# REPL
lein repl

Usage

# Scan file
java -jar yara.jar suspicious.exe

# Show matched strings
java -jar yara.jar -s malware.bin

# JSON output
java -jar yara.jar -j sample.dll

# Custom rules
java -jar yara.jar -r custom.yar target.exe

REPL Usage

; Load namespace
(require '[yara.core :as yara])

; Scan file
(yara/scan-data (yara/read-file-bytes "sample.exe") yara/builtin-rules)

; Custom rule
(def my-rule (yara/->Rule "TEST" "Test Rule" "Custom" :high
               [{:id "$test" :type :ascii :value "suspicious"}]
               "all of them"))

Pattern Types

  • :hex - Hexadecimal byte patterns
  • :ascii - ASCII string search
  • :regex - Regular expression patterns

Author

bad-antics | Twitter

License

MIT

About

Clojure YARA-style pattern matching - malware signatures, hex/ascii/regex patterns

Resources

Stars

1 star

Watchers

0 watching

Forks

Packages

 
 
 

Contributors