Threat Level: green Handler on Duty: Rick Wanner

SANS ISC: Yara Sweeper - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Yara Sweeper
Yara Sweeper

https://gitlab.com/nowayout/yara_sweeper

The aim of this tool is to run yara rules in a large scale environment.
Yara sweeper is useful to be used, in a live Incident Response situation, to scan processes running in memory
or files residing on disk.

It works on Linux, Windows and OSX.

Use cases
On demand sweep. During Incident Response, invoke the agent to perform the scan on files, directory or running process with a quickly created yara rule pushed on git repository.

Continuous IOCs monitoring. Collect a library of yara rules based on IOCs built over time, and create scheduled tasks to run regularly sweeping on the endpoint for specified yara rules; the syslog events generated are sent to SIEM.
Anonymous

Sign Up for Free or Log In to start participating in the conversation!