Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Revamp Yara memory/file scanning #209

Open
rabbitstack opened this issue Nov 3, 2023 · 0 comments
Open

Revamp Yara memory/file scanning #209

rabbitstack opened this issue Nov 3, 2023 · 0 comments
Labels
scope: alertsenders Anything related to alert senders scope: config Anything related to config management scope: yara Anything related to libyara and pattern matching

Comments

@rabbitstack
Copy link
Owner

Description

Presently, the Yara scanner acts on process creation and image loading events to initiate the scan. For the former event types, the memory scan is performed on the child process. However, we can expand the scan capabilities to various other signals:

  • created files
  • loaded images, whether the image is an executable, DLL, or a driver
  • memory allocations
  • mappings of the section views
  • registry binary type values

We could consider executing some of these scans concurrently. When the rule match is observed, the alert is sent via registered alert senders.
@rabbitstack rabbitstack added scope: yara Anything related to libyara and pattern matching scope: alertsenders Anything related to alert senders scope: config Anything related to config management labels Nov 3, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
scope: alertsenders Anything related to alert senders scope: config Anything related to config management scope: yara Anything related to libyara and pattern matching
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@rabbitstack