Awesome
yaraScanParser
<!-- PROJECT SHIELDS --> <!-- *** I'm using markdown "reference style" links for readability. *** Reference links are enclosed in brackets [ ] instead of parentheses ( ). *** See the bottom of this document for the declaration of the reference variables *** for contributors-url, forks-url, etc. This is an optional, concise syntax you may use. *** https://www.markdownguide.org/basic-syntax/#reference-style-links --> <!-- TABLE OF CONTENTS --> <details open="open"> <summary>Table of Contents</summary> <ol> <li> <a href="#about-the-project">About The Project</a> <ul> <li><a href="#built-with">Built With</a></li> </ul> </li> <li> <a href="#getting-started">Getting Started</a> <ul> <li><a href="#installation">Installation</a></li> </ul> </li> <li><a href="#usage">Usage</a></li> <li><a href="#contact">Contact</a></li> <li><a href="#acknowledgements">Acknowledgements</a></li> </ol> </details> <!-- ABOUT THE PROJECT -->About The Project
This script is a parsing tool for Yara Scan Service's JSON output file. Yara Scan Service allows to quickly test your YARA rule against a large collection of malicious samples. It helps assure your rule only matches the malware family you are looking for. The output is a JSON file containing all the matched samples. The JSON file contains a lot of information, and yaraScanParser is meant to help you maximize its benefits.
yaraScanParser allows you to:
- Save time by parsing the Yara Scan Service results automatically
- Get information about wanted matches and false positives of your rule
- Get the matched files' hash values in a format that can be easily inserted to your Yara rule's metadata section
Built With
<!-- GETTING STARTED -->Getting Started
To use this tool, you must have Python installed.
Installation
Clone the repo
git clone https://github.com/Sh3llyR/yaraScanParser.git
<!-- USAGE EXAMPLES -->
Usage
- Parameters -o and -m are OPTIONAL
- When -o parameter is omitted, the output file is saved in the script's directory
- When -m parameter is omitted, the value of the first 'malware' key in the JSON file is used
Usage examples:
- python yaraScanParser.py -i yara_scan_service_results.json -o output.txt -m CobaltStrike
- python yaraScanParser.py -i yara_scan_service_results.json -o output.txt -m CobaltStrike,DarkComet,QuasarRAT
- python3 yaraScanParser.py -i yara_scan_service_results.json
Contact
Project Link: https://github.com/Sh3llyR/yaraScanParser
<!-- ACKNOWLEDGEMENTS -->