github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2025-08-13 13:26:01 +03:00
Code Issues Packages Projects Releases Wiki Activity

First commit to Yara experimental branch

Browse Source
This commit is contained in:
Victor Hora 2019-03-10 21:21:47 -04:00
parent 6d5198b1a6
commit ce14299729
No known key found for this signature in database
GPG Key ID: E4BCD2EA82E67A45
16 changed files with 419 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

147
build/yara.m4 Normal file
View File

@ -0,0 +1,147 @@
dnl Check for YARA Libraries
dnl CHECK_YARA(ACTION-IF-FOUND [, ACTION-IF-NOT-FOUND])
AC_DEFUN([CHECK_YARA],
[dnl
# Possible names for the yara library/package (pkg-config)
YARA_POSSIBLE_LIB_NAMES="yara"
# Possible extensions for the library
YARA_POSSIBLE_EXTENSIONS="so so0 la sl dll dylib so.0.0.0"
# Possible paths (if pkg-config was not found, proceed with the file lookup)
YARA_POSSIBLE_PATHS="/usr/lib /usr/local/lib /usr/local/yara /usr/local/libyara /usr/local /opt /usr /usr/lib64 /opt/local"
# Variables to be set by this very own script.
YARA_CFLAGS=""
YARA_LDFLAGS=""
YARA_LDADD=""
YARA_DISPLAY=""
AC_ARG_WITH(
yara,
AC_HELP_STRING(
[--with-yara=PATH],
[Path to yara prefix]
)
)
if test "x${with_yara}" == "xno"; then
AC_DEFINE(HAVE_YARA, 0, [Support for YARA was disabled by the utilization of --without-yara or --with-yara=no])
AC_MSG_NOTICE([Support for YARA was disabled by the utilization of --without-yara or --with-yara=no])
YARA_DISABLED=yes
else
if test "x${with_yara}" == "xyes"; then
YARA_MANDATORY=yes
AC_MSG_NOTICE([YARA support was marked as mandatory by the utilization of --with-yara=yes])
else
YARA_MANDATORY=no
fi
for x in ${YARA_POSSIBLE_PATHS}; do
CHECK_FOR_YARA_AT(${x})
if test -n "${YARA_CFLAGS}"; then
break
fi
done
fi
if test -z "${YARA_CFLAGS}"; then
if test -z "${YARA_MANDATORY}" || test "x${YARA_MANDATORY}" == "xno"; then
if test -z "${YARA_DISABLED}"; then
AC_MSG_NOTICE([YARA library was not found])
YARA_FOUND=0
else
YARA_FOUND=2
fi
else
AC_MSG_ERROR([YARA was explicitly referenced but it was not found])
YARA_FOUND=-1
fi
else
YARA_FOUND=1
AC_MSG_NOTICE([using YARA v${YARA_VERSION}])
YARA_CFLAGS="-DWITH_YARA ${YARA_CFLAGS}"
YARA_DISPLAY="${YARA_LDADD} ${YARA_LDFLAGS}, ${YARA_CFLAGS}"
AC_SUBST(YARA_LDFLAGS)
AC_SUBST(YARA_LDADD)
AC_SUBST(YARA_CFLAGS)
AC_SUBST(YARA_DISPLAY)
fi
AC_SUBST(YARA_FOUND)
]) # AC_DEFUN [CHECK_YARA]
AC_DEFUN([CHECK_FOR_YARA_AT], [
path=$1
echo "*** LOOKING AT PATH: " ${path}
for y in ${YARA_POSSIBLE_EXTENSIONS}; do
for z in ${YARA_POSSIBLE_LIB_NAMES}; do
if test -e "${path}/${z}.${y}"; then
yara_lib_path="${path}/"
yara_lib_name="${z}"
yara_lib_file="${yara_lib_path}/${z}.${y}"
break
fi
if test -e "${path}/lib${z}.${y}"; then
yara_lib_path="${path}/"
yara_lib_name="${z}"
yara_lib_file="${yara_lib_path}/lib${z}.${y}"
break
fi
if test -e "${path}/lib/lib${z}.${y}"; then
yara_lib_path="${path}/lib/"
yara_lib_name="${z}"
yara_lib_file="${yara_lib_path}/lib${z}.${y}"
break
fi
if test -e "${path}/lib/x86_64-linux-gnu/lib${z}.${y}"; then
yara_lib_path="${path}/lib/x86_64-linux-gnu/"
yara_lib_name="${z}"
yara_lib_file="${yara_lib_path}/lib${z}.${y}"
break
fi
if test -e "${path}/lib/i386-linux-gnu/lib${z}.${y}"; then
yara_lib_path="${path}/lib/i386-linux-gnu/"
yara_lib_name="${z}"
yara_lib_file="${yara_lib_path}/lib${z}.${y}"
break
fi
done
if test -n "$yara_lib_path"; then
break
fi
done
if test -e "${path}/include/yara.h"; then
yara_inc_path="${path}/include"
elif test -e "${path}/yara.h"; then
yara_inc_path="${path}"
elif test -e "${path}/include/yara/yara.h"; then
yara_inc_path="${path}/include"
fi
if test -n "${yara_lib_path}"; then
AC_MSG_NOTICE([YARA library found at: ${yara_lib_file}])
fi
if test -n "${yara_inc_path}"; then
AC_MSG_NOTICE([YARA headers found at: ${yara_inc_path}])
fi
if test -n "${yara_lib_path}" -a -n "${yara_inc_path}"; then
# TODO: Compile a piece of code to check the version.
YARA_CFLAGS="-I${yara_inc_path}"
YARA_LDADD="-l${yara_lib_name}"
YARA_LDFLAGS="-L${yara_lib_path}"
YARA_DISPLAY="${yara_lib_file}, ${yara_inc_path}"
fi
]) # AC_DEFUN [CHECK_FOR_YARA_AT]

19
configure.ac
View File

@ -105,6 +105,9 @@ AM_CONDITIONAL([SSDEEP_CFLAGS], [test "SSDEEP_CFLAGS" != ""])
CHECK_LUA
AM_CONDITIONAL([LUA_CFLAGS], [test "LUA_CFLAGS" != ""])
# Check for YARA
CHECK_YARA
AM_CONDITIONAL([YARA_CFLAGS], [test "YARA_CFLAGS" != ""])
#
# Check for curl
@ -548,6 +551,22 @@ if test "x$LUA_FOUND" = "x2"; then
echo " + LUA ....disabled"
fi
## YARA
if test "x$YARA_FOUND" = "x0"; then
echo " + YARA ....not found"
fi
if test "x$YARA_FOUND" = "x1"; then
echo -n " + YARA ....found "
if ! test "x$YARA_VERSION" = "x"; then
echo "v${YARA_VERSION}"
else
echo ""
fi
echo " ${YARA_DISPLAY}"
fi
if test "x$YARA_FOUND" = "x2"; then
echo " + YARA ....disabled"
fi
echo " "
echo " Other Options"

3
examples/multiprocess_c/Makefile.am
View File

@ -21,7 +21,8 @@ multi_LDFLAGS = \
$(LUA_LDFLAGS) \
$(SSDEEP_LDFLAGS) \
$(MAXMIND_LDFLAGS) \
$(YAJL_LDFLAGS)
$(YAJL_LDFLAGS) \
$(YARA_LDFLAGS)
multi_CFLAGS = \
-I$(top_builddir)/headers \

6
examples/reading_logs_with_offset/Makefile.am
View File

@ -16,7 +16,8 @@ read_LDADD = \
$(LUA_LDADD) \
$(PCRE_LDADD) \
$(SSDEEP_LDADD) \
$(YAJL_LDADD)
$(YAJL_LDADD) \
$(YARA_LDADD)
read_LDFLAGS = \
$(GEOIP_LDFLAGS) \
@ -24,7 +25,8 @@ read_LDFLAGS = \
$(LUA_LDFLAGS) \
$(SSDEEP_LDFLAGS) \
$(MAXMIND_LDFLAGS) \
$(YAJL_LDFLAGS)
$(YAJL_LDFLAGS) \
$(YARA_LDFLAGS)
read_CPPFLAGS = \
$(GLOBAL_CFLAGS) \

6
examples/simple_example_using_c/Makefile.am
View File

@ -8,7 +8,8 @@ test_SOURCES = \
test_LDADD = \
$(GLOBAL_LDADD) \
$(LUA_LDADD) \
$(SSDEEP_LDADD)
$(SSDEEP_LDADD) \
$(YARA_LDADD)
test_LDFLAGS = \
-L$(top_builddir)/src/.libs/ \
@ -18,7 +19,8 @@ test_LDFLAGS = \
-lstdc++ \
$(LUA_LDFLAGS) \
$(SSDEEP_LDFLAGS) \
$(YAJL_LDFLAGS)
$(YAJL_LDFLAGS) \
$(YARA_LDFLAGS)
test_CFLAGS = \
-I$(top_builddir)/headers \

6
examples/using_bodies_in_chunks/Makefile.am
View File

@ -16,7 +16,8 @@ simple_request_LDADD = \
$(LUA_LDADD) \
$(PCRE_LDADD) \
$(SSDEEP_LDADD) \
$(YAJL_LDADD)
$(YAJL_LDADD) \
$(YARA_LDADD)
simple_request_LDFLAGS = \
$(GEOIP_LDFLAGS) \
@ -25,7 +26,8 @@ simple_request_LDFLAGS = \
-lpthread \
$(LUA_LDFLAGS) \
$(SSDEEP_LDFLAGS) \
$(YAJL_LDFLAGS)
$(YAJL_LDFLAGS) \
$(YARA_LDFLAGS)
simple_request_CPPFLAGS = \
$(GLOBAL_CFLAGS) \

10
src/Makefile.am
View File

@ -226,7 +226,8 @@ OPERATORS = \
operators/verify_cpf.cc \
operators/verify_ssn.cc \
operators/within.cc \
operators/unconditional_match.cc
operators/unconditional_match.cc \
operators/yara.cc
UTILS = \
@ -311,7 +312,8 @@ libmodsecurity_la_CPPFLAGS = \
$(SSDEEP_CFLAGS) \
$(MAXMIND_CFLAGS) \
$(LUA_CFLAGS) \
$(LIBXML2_CFLAGS)
$(LIBXML2_CFLAGS) \
$(YARA_CFLAGS)
libmodsecurity_la_LDFLAGS = \
@ -326,6 +328,7 @@ libmodsecurity_la_LDFLAGS = \
$(SSDEEP_LDFLAGS) \
$(MAXMIND_LDFLAGS) \
$(YAJL_LDFLAGS) \
$(YARA_LDFLAGS) \
-version-info @MSC_VERSION_INFO@
@ -341,5 +344,6 @@ libmodsecurity_la_LIBADD = \
$(PCRE_LDADD) \
$(MAXMIND_LDADD) \
$(SSDEEP_LDADD) \
$(YAJL_LDADD)
$(YAJL_LDADD) \
$(YARA_LDADD)

2
src/operators/operator.cc
View File

@ -60,6 +60,7 @@
#include "src/operators/verify_ssn.h"
#include "src/operators/within.h"
#include "src/operators/unconditional_match.h"
#include "src/operators/yara.h"
#define IF_MATCH(a) \
if (op_ == #a)
@ -190,6 +191,7 @@ Operator *Operator::instantiate(std::string op, std::string param_str) {
IF_MATCH(unconditionalmatch) {
return new UnconditionalMatch();
}
IF_MATCH(yara) { return new Yara(std::move(param)); }
std::invalid_argument("Operator not found.");
}

135
src/operators/yara.cc Normal file
View File

@ -0,0 +1,135 @@
/*
* ModSecurity, http://www.modsecurity.org/
* Copyright (c) 2018 Trustwave Holdings, Inc. (http://www.trustwave.com/)
*
* You may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* If any of the files related to licensing are missing or if you have any
* other questions related to licensing please contact Trustwave Holdings, Inc.
* directly using the email address security@modsecurity.org.
*
*/
#include "src/operators/yara.h"
#include <string>
#include "src/operators/operator.h"
#include "src/utils/system.h"
namespace modsecurity {
namespace operators {
bool Yara::init(const std::string &param2, std::string *error) {
#ifdef WITH_YARA
std::string digit;
std::string file;
std::istream *iss;
struct yara_chunk *chunk, *t;
std::string err;
auto pos = m_param.find_last_of(' ');
if (pos == std::string::npos) {
error->assign("Please use @yara with filename and value");
return false;
}
digit.append(std::string(m_param, pos+1));
file.append(std::string(m_param, 0, pos));
try {
m_threshold = std::stoi(digit);
} catch (...) {
error->assign("Expecting a digit, got: " + digit);
return false;
}
std::string resource = utils::find_resource(file, param2, &err);
iss = new std::ifstream(resource, std::ios::in);
if (((std::ifstream *)iss)->is_open() == false) {
error->assign("Failed to open file: " + m_param + ". " + err);
delete iss;
return false;
}
// YARA
int result = yr_initialize();
if (result != ERROR_SUCCESS) {
error->assign("yr_initialize() FAILED!");
return false;
}
for (std::string line; std::getline(*iss, line); ) {
chunk = (struct yara_chunk *)calloc(1,
sizeof(struct yara_chunk));
chunk->data = strdup(line.c_str());
chunk->next = NULL;
if (m_head == NULL) {
m_head = chunk;
} else {
t = m_head;
while (t->next) {
t = t->next;
}
t->next = chunk;
}
}
delete iss;
return true;
#else
error->assign("@yara: YARA support was not enabled " \
"during the compilation.");
return false;
#endif
}
Yara::~Yara() {
struct yara_chunk *c = m_head;
while (c) {
struct yara_chunk *t = c;
free(c->data);
c->data = NULL;
c = c->next;
free(t);
}
m_head = NULL;
}
bool Yara::evaluate(Transaction *t, const std::string &str) {
#ifdef WITH_YARA
struct yara_chunk *chunk = m_head;
/*
while (chunk != NULL) {
int i = 0;
if (i >= m_threshold) {
return true;
}
chunk = chunk->next;
}
YARA
yr_finalize();
return true;
*/
/**
* @todo Finalize Implementing the operator Yara.
* Reference: https://yara.readthedocs.io/en/v3.9.0/capi.html
*/
return true;
#endif
/* No match. */
return true;
}
} // namespace operators
} // namespace modsecurity

59
src/operators/yara.h Normal file
View File

@ -0,0 +1,59 @@
/*
* ModSecurity, http://www.modsecurity.org/
* Copyright (c) 2018 Trustwave Holdings, Inc. (http://www.trustwave.com/)
*
* You may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* If any of the files related to licensing are missing or if you have any
* other questions related to licensing please contact Trustwave Holdings, Inc.
* directly using the email address security@modsecurity.org.
*
*/
#ifndef SRC_OPERATORS_YARA_H_
#define SRC_OPERATORS_YARA_H_
#include <string>
#include <memory>
#include <utility>
#ifdef WITH_YARA
#include <yara.h>
#endif
#include "src/operators/operator.h"
namespace modsecurity {
namespace operators {
struct yara_chunk {
char *data;
struct yara_chunk *next;
};
class Yara : public Operator {
public:
/** @ingroup ModSecurity_Operator */
explicit Yara(std::unique_ptr<RunTimeString> param)
: Operator("Yara", std::move(param)),
m_head(NULL),
m_threshold(0) { }
~Yara();
bool evaluate(Transaction *transaction, const std::string &std) override;
bool init(const std::string &param, std::string *error) override;
private:
int m_threshold;
struct yara_chunk *m_head;
};
} // namespace operators
} // namespace modsecurity
#endif // SRC_OPERATORS_YARA_H_

6
src/parser/seclang-parser.yy
View File

@ -144,6 +144,7 @@ class Driver;
#include "src/operators/verify_cpf.h"
#include "src/operators/verify_ssn.h"
#include "src/operators/within.h"
#include "src/operators/yara.h"
#include "modsecurity/audit_log.h"
@ -506,6 +507,7 @@ using modsecurity::operators::Operator;
OPERATOR_VERIFY_CPF "OPERATOR_VERIFY_CPF"
OPERATOR_VERIFY_SSN "OPERATOR_VERIFY_SSN"
OPERATOR_WITHIN "OPERATOR_WITHIN"
OPERATOR_YARA "OPERATOR_YARA"
CONFIG_DIR_AUDIT_LOG_FMT
JSON
@ -1092,6 +1094,10 @@ op_before_init:
YYERROR;
#endif // WITH_GEOIP
}
| OPERATOR_YARA run_time_string
{
OPERATOR_CONTAINER($$, new operators::Yara(std::move($2)));
}
;
expression:

2
src/parser/seclang-scanner.ll
View File

@ -315,6 +315,7 @@ OPERATOR_VERIFY_CC (?i:@verifyCC)
OPERATOR_VERIFY_CPF (?i:@verifyCPF)
OPERATOR_VERIFY_SSN (?i:@verifySSN)
OPERATOR_WITHIN (?i:@within)
OPERATOR_YARA (?i:@yara)
AUDIT_PARTS [ABCDEFGHJKIZ]+
@ -1112,6 +1113,7 @@ EQUALS_MINUS (?i:=\-)
{OPERATOR_VERIFY_SSN} { BEGIN_PARAMETER(); return p::make_OPERATOR_VERIFY_SSN(*driver.loc.back()); }
{OPERATOR_GSB_LOOKUP} { BEGIN_PARAMETER(); return p::make_OPERATOR_GSB_LOOKUP(*driver.loc.back()); }
{OPERATOR_RSUB} { BEGIN_PARAMETER(); return p::make_OPERATOR_RSUB(*driver.loc.back()); }
{OPERATOR_YARA} { BEGIN_PARAMETER(); return p::make_OPERATOR_YARA(*driver.loc.back()); }
{NOT} { return p::make_NOT(*driver.loc.back()); }
. { BEGIN_NO_OP_INFORMED(); yyless(0); }

27
test/Makefile.am
View File

@ -52,7 +52,8 @@ unit_tests_LDADD = \
$(LUA_LDADD) \
$(PCRE_LDADD) \
$(SSDEEP_LDADD) \
$(YAJL_LDADD)
$(YAJL_LDADD) \
$(YARA_LDADD)
unit_tests_LDFLAGS = \
@ -61,7 +62,8 @@ unit_tests_LDFLAGS = \
$(LMDB_LDFLAGS) \
$(LUA_LDFLAGS) \
$(SSDEEP_LDFLAGS) \
$(YAJL_LDFLAGS)
$(YAJL_LDFLAGS) \
$(YARA_LDFLAGS)
unit_tests_CPPFLAGS = \
@ -80,7 +82,8 @@ unit_tests_CPPFLAGS = \
$(YAJL_CFLAGS) \
$(LUA_CFLAGS) \
$(SSDEEP_CFLAGS) \
$(LIBXML2_CFLAGS)
$(LIBXML2_CFLAGS) \
$(YARA_CFLAGS)
# regression
@ -102,7 +105,8 @@ regression_tests_LDADD = \
$(LUA_LDADD) \
$(PCRE_LDADD) \
$(SSDEEP_LDADD) \
$(YAJL_LDADD)
$(YAJL_LDADD) \
$(YARA_LDADD)
regression_tests_LDFLAGS = \
@ -111,7 +115,8 @@ regression_tests_LDFLAGS = \
$(YAJL_LDFLAGS) \
$(LMDB_LDFLAGS) \
$(SSDEEP_LDFLAGS) \
$(LUA_LDFLAGS)
$(LUA_LDFLAGS) \
$(YARA_LDFLAGS)
regression_tests_CPPFLAGS = \
@ -130,7 +135,8 @@ regression_tests_CPPFLAGS = \
$(SSDEEP_CFLAGS) \
$(PCRE_CFLAGS) \
$(YAJL_CFLAGS) \
$(LIBXML2_CFLAGS)
$(LIBXML2_CFLAGS) \
$(YARA_CFLAGS)
# optimization
@ -151,7 +157,8 @@ rules_optimization_LDADD = \
$(LUA_LDADD) \
$(PCRE_LDADD) \
$(SSDEEP_LDADD) \
$(YAJL_LDADD)
$(YAJL_LDADD) \
$(YARA_LDADD)
rules_optimization_LDFLAGS = \
$(GEOIP_LDFLAGS) \
@ -159,7 +166,8 @@ rules_optimization_LDFLAGS = \
$(LMDB_LDFLAGS) \
$(LUA_LDFLAGS) \
$(SSDEEP_LDFLAGS) \
$(YAJL_LDFLAGS)
$(YAJL_LDFLAGS) \
$(YARA_LDFLAGS)
rules_optimization_CPPFLAGS = \
-std=c++11 \
@ -177,5 +185,6 @@ rules_optimization_CPPFLAGS = \
$(SSDEEP_CFLAGS) \
$(PCRE_CFLAGS) \
$(YAJL_CFLAGS) \
$(LIBXML2_CFLAGS)
$(LIBXML2_CFLAGS) \
$(YARA_CFLAGS)

4
test/benchmark/Makefile.am
View File

@ -16,6 +16,7 @@ benchmark_LDADD = \
$(SSDEEP_LDADD) \
$(LUA_LDADD) \
$(LIBXML2_LDADD) \
$(YARA_LDADD) \
$(GLOBAL_LDADD)
benchmark_LDFLAGS = \
@ -25,7 +26,8 @@ benchmark_LDFLAGS = \
$(YAJL_LDFLAGS) \
$(LMDB_LDFLAGS) \
$(SSDEEP_LDFLAGS) \
$(LUA_LDFLAGS)
$(LUA_LDFLAGS) \
$(YARA_LDFLAGS)
benchmark_CPPFLAGS = \
-std=c++11 \

1
test/fuzzer/Makefile.am
View File

@ -24,6 +24,7 @@ afl_fuzzer_LDADD = \
$(SSDEEP_LDFLAGS) $(SSDEEP_LDADD) \
$(LUA_LDFLAGS) $(LUA_LDADD) \
$(LIBXML2_LDADD) \
$(YARA_LDFLAGS) $(YARA_LDADD) \
$(top_builddir)/src/.libs/libmodsecurity.a \
$(top_builddir)/others/libinjection.la \
$(top_builddir)/others/libmbedtls.la

9
tools/rules-check/Makefile.am
View File

@ -16,7 +16,8 @@ modsec_rules_check_LDADD = \
$(LUA_LDADD) \
$(PCRE_LDADD) \
$(SSDEEP_LDADD) \
$(YAJL_LDADD)
$(YAJL_LDADD) \
$(YARA_LDADD)
modsec_rules_check_LDFLAGS = \
$(GEOIP_LDFLAGS) \
@ -25,7 +26,8 @@ modsec_rules_check_LDFLAGS = \
$(LMDB_LDFLAGS) \
$(LUA_LDFLAGS) \
$(SSDEEP_LDFLAGS) \
$(YAJL_LDFLAGS)
$(YAJL_LDFLAGS) \
$(YARA_LDFLAGS)
modsec_rules_check_CPPFLAGS = \
-std=c++11 \
@ -34,7 +36,8 @@ modsec_rules_check_CPPFLAGS = \
$(PCRE_CFLAGS) \
$(LMDB_CFLAGS) \
$(MAXMIND_CFLAGS) \
$(LIBXML2_CFLAGS)
$(LIBXML2_CFLAGS) \
$(YARA_CFLAGS)
MAINTAINERCLEANFILES = \
Makefile.in