Home

Awesome

Yara-Scanner

Introduction

Yara-Scanner is a Python-based extension that integrates a Yara scanner into Burp Suite. Yara-Scanner allows you perform on-demand Yara scans of websites within the Burp interface, based on custom Yara rules that you write or obtain. Example use cases include scanning spidered sites for obfuscated Javascript or any other specific string patterns of interest present in any part of a request or response. It has been tested with Yara 3.4 in Burp Suite Free and Pro versions 1.6.3x on Windows 7 and 10, and Kali 2.0.

Prerequisite: Jython

If you have not already added a Jython standalone JAR file to Burp:

  1. Download the latest version (2.7) of the Jython standalone JAR file from: http://www.jython.org/downloads.html
  2. In Burp, go to the Extender tab, then Options
  3. Under Python Environment, click Select file... next to the field for Location of Jython standalone JAR file
  4. Select your downloaded jython-standalone-2.7.0.jar file and click Open

Prerequisite: Yara

  1. Install or download the latest version of the standalone Yara binary (3.4) for your OS. Instructions at: https://github.com/plusvic/yara/releases/tag/v3.4.0.

How to Install

  1. Download yaraburp.py
  2. In Burp, go to the Extender tab, then Extensions
  3. Click Add
  4. Under Extension details, set Extension type to Python
  5. Click Select file... next to the Extension file (.py) field
  6. Select your downloaded copy of yaraburp.py and click Open, then Next
  7. In the Load Burp Extension window, after a few seconds the Output box should display "Burpsuite Yara scanner initialized", indicating that it was successfully loaded. A Yara tab will appear in Burp and Yara Scanner is now ready to use. Click Close.
  8. Ensure that the Loaded option box is now checked for Burpsuite Yara Scanner

How to Use

  1. Click the Yara tab in Burp, then Options
  2. Enter the full path of your Yara Executable Location
  1. Enter your Yara Rules File path
  1. Visit your target site(s) using Burp as an interception proxy and your browser of choice to populate Burp's Site map
  2. In Burp's Target tab, in the Site map, select the site(s) you want to scan with Yara then right-click on them and select Scan with Yara
  1. After the Yara scan has successfully completed, a "Yara scanning complete. x rule(s) matched." message will appear. Click OK.
  2. Click on the Yara tab and select Yara Output to view the rule hits; the Rule Name and URL will be listed for each hit.

Possible Roadmap