Storm Package: synapse-yara

The following Commands are available from this package. This documentation is generated for version 4.12.0 of the package.

Storm Commands

This package implements the following Storm Commands.

yara.info

Display information about the Synapse Yara service.

Usage: yara.info [options]

Options:

  --help                      : Display the command usage.

yara.match

Run the input file:bytes nodes through the Yara rules and create/update it:app:yara:match nodes.
Nodes will be created in the view that this command is run in.

This command takes file:bytes nodes as input and matches against all the valid it:app:yara:rule nodes by default:

    file:bytes#with.my.tag | yara.match

The --rules option can be used to specify a query that will generate the it:app:yara:rule nodes to match against:

    file:bytes#with.my.tag | yara.match --rules ${ it:app:yara:rule#my.tag +:version="1.0.0" }

When the --yield option is specified the command will output any created it:app:yara:match nodes.

In order to run background matching, the query performing the match should be wrapped in the Storm background
command:

    background ${ file:bytes#with.my.tag | yara.match }

Job status and progress may be displayed using the swarm.job.list command.

If changes are made to the :text of an it:app:yara:rule node, the :version property should be incremented.
When the Yara Grid service creates it:app:yara:match nodes, the current version of the rule is transferred to the match node.
Once a rule is updated, all of the associated matched files should be evaluated again to cause the :version property
on the it:app:yara:match nodes to be updated.
After a successful run, any match nodes without the new version are no longer matches and should likely be removed.


Usage: yara.match [options]

Options:

  --help                      : Display the command usage.
  --rules <rules>             : Use a query to generate it:app:yara:rule nodes to match against
  --debug                     : Display the debug output while running
  --yield                     : Yield the it:app:yara:match nodes.

yara.validate

Compile rules from inbound nodes and display any errors.

Rules are validated by lifting the desired it:app:yara:rule nodes and piping as input to the command.

For example, to validate the entire set of loaded Yara rules:

    it:app:yara:rule | yara.validate

For rules that are syntactically invalid, the Yara syntax error output will be printed with the it:app:yara:rule guid:

    WARNING: it:app:yara:rule=0f4473418816af0710bbdbcb02fb6a47: line 1: syntax error, unexpected identifier, expecting '{'
    WARNING: it:app:yara:rule=1505770b821a3a8096d4d8c054d55170: line 1: syntax error, unexpected string identifier
    WARNING: it:app:yara:rule=160abe943f2c1ad3d6daa474e75785c6: line 4: syntax error, unexpected end of file

The --yield option can be used to yield it:app:yara:rule nodes that fail validation:

    it:app:yara:rule | yara.validate --yield


Usage: yara.validate [options]

Options:

  --help                      : Display the command usage.
  --debug                     : Display the debug output while running
  --yield                     : Yield the Yara rules that fail validation

Storm Modules

This package does not export any Storm APIs.