0

I cloned some yara rules from a repo to my /home/student/Downloads/yara-forensics/file directory. There are multiple .yar files shown below. I also have a fake malware file called sample.file located in /home/student/Downloads. I want to loop through each of the .yar files and return only the .yar file(s) that matches sample.file.

student@desktop:~/Downloads/yara-forensics/file$ ls -l
total 96
-rw-rw-r-- 1 student student 1138 Dec  8 21:18 apple.yar
-rw-rw-r-- 1 student student 6494 Dec  8 21:18 audio.yar
-rw-rw-r-- 1 student student  846 Dec  8 21:18 compressed.yar
-rw-rw-r-- 1 student student  903 Dec  8 21:18 crypto.yar
-rw-rw-r-- 1 student student  178 Dec  8 21:18 dex.yar
-rw-rw-r-- 1 student student  563 Dec  8 21:18 executables.yar
-rw-rw-r-- 1 student student  596 Dec  8 21:18 gif.yar
-rw-rw-r-- 1 student student  344 Dec  8 21:18 gps.yar
-rw-rw-r-- 1 student student 1183 Dec  8 21:18 jpeg.yar
-rw-rw-r-- 1 student student  580 Dec  8 21:18 mem_dumps.yar
-rw-rw-r-- 1 student student 1096 Dec  8 21:18 office.yar
-rw-rw-r-- 1 student student  458 Dec  8 21:18 pdf.yar
-rw-rw-r-- 1 student student  780 Dec  8 21:18 png.yar
-rw-rw-r-- 1 student student  315 Dec  8 21:18 skype.yar
-rw-rw-r-- 1 student student  689 Dec  8 21:18 sqlite.yar
-rw-rw-r-- 1 student student  474 Dec  8 21:18 telegram.yar
-rw-rw-r-- 1 student student  332 Dec  8 21:18 vcard.yar
-rw-rw-r-- 1 student student 8878 Dec  8 21:18 vector.yar
-rw-rw-r-- 1 student student 3636 Dec  8 21:18 video.yar
-rw-rw-r-- 1 student student 1036 Dec  8 21:18 vmware.yar
-rw-rw-r-- 1 student student  491 Dec  8 21:18 win_reg.yar

Below is my script.

#!/bin/bash
for file in $(find /home/student/Downloads/yara-forensics/file -name '*.yar'); 
do test $(yara -c ${file} /home/student/Downloads/sample.file) -gt 0 && echo $file; 
done 2>/dev/null

The problem is that it only returns one result shown below. It should at least return 6 results (compressed, executables, crypto, office, vector, and vmware). What's wrong with my script?

student@desktop:/dev$ bash yarbash 
/home/student/Downloads/yara-forensics/file/executables.yar
Nina G
  • 269
  • 5
  • 17
  • `echo file` should be `echo "$file"` – Barmar Dec 08 '21 at 22:36
  • Put `set -x` at the beginning of the script. Then you'll see a transcript of all the statements, which should help determine why it's not working. – Barmar Dec 08 '21 at 22:37
  • BTW, if all the .yar files are in the same directory, you don't need to use `find`. Just use `for file in /home/student/Downloads/yara-forensics/file/*.yar` – Barmar Dec 08 '21 at 22:52
  • @Barmar I fixed ```$file``` included ```set -x``` at the beginning of script and replaced ```for file in $(find /home/student/Downloads/yara-forensics/file -name '*.yar');``` with ```for file in /home/student/Downloads/yara-forensics/file/*.yar;```. However, now there are no results or anything saying what was wrong when I run the script. – Nina G Dec 08 '21 at 23:13
  • You don't even see the trace of the execution? – Barmar Dec 08 '21 at 23:16
  • You can also use `bash -x yarbash` instead of `set -x` in the script. – Barmar Dec 08 '21 at 23:16
  • Quote your variable: yara -c "$file" . Usually, you invoke test with [ but in this case it sounds like you want to echo when it fails so just do: `yara -c ${file} /home/student/Downloads/sample.file) -gt 0 || echo "$file". Anyways, to answer your question, yara probably returns success (0) on all but executables.yar – Allan Wind Dec 09 '21 at 02:18

1 Answers1

0

Your command yara is successful for all but executables.yar. If you run it like this you would get more verbose output:

#!/bin/bash

prefix=/home/student/Downloads
for file in $prefix/yara-forensics/file/*.yar
do
   [ -e "$file" ] || break
   echo -n "$file: "
   yara -c "$file" "$prefix/sample.file" &&\
     echo "success" ||\
     echo "failure"
done
Allan Wind
  • 23,068
  • 5
  • 28
  • 38