BinaryAlert: Serverless, Real-time & Retroactive Malware Detection.
APACHE-2.0 License
v.1.2.0 of BinaryAlert is here! This version simplifies and hardens the BinaryAlert architecture, adds support for scanning UPX-packed binaries and PDFs, and adds more configuration options to customize your deployment.
./manage.py live_test
now includes examples of both./manage.py analyze_all
command with retro_fast
(to read the latest inventory) and retro_slow
(to enumerate the bucket directly)./manage.py purge_queue
terraform/terraform.tfvars
):
For the complete list of changes and issues closed, see the associated milestone.
server_side_encryption
directive in terraform/dynamo.tf
to keep the table the way it is.v1.1.0 adds support for archive analysis via yextend! Hundreds of different types of archives (.docx
, .rar
, .zip
, etc) are now natively extracted and scanned with your YARA rules.
yextend
for YARA analysis of archivesshred
utility is used to destroy files in /tmp
after downloading them from S3--version
flagdestroy
commandlive_test
now uploads an archive in addition a text fileopenssl
development libraries prior to installing YARAFor the complete list of changes and issues closed, see the associated milestone.
Upgrading is quite easy and can happen on top of your existing deploy:
git checkout v1.1.0
source venv/bin/activate
pip install -r requirements.txt
terraform
to v0.11+./manage.py deploy
./manage.py live_test
Note that the SNS alert no longer includes the YARA RuleTags
in the MatchedRules
section.
BinaryAlert's first official release is here! To get started, visit https://binaryalert.io/getting-started.html
hash
YARA modulecb_copy_all
(CarbonBlack copy), configure
, and compile_rules
CLI commandsFor a complete list of changes, see the associated milestone.
If you are upgrading from BinaryAlert v0.10:
LambdaVersion
table column has been renamed to AnalyzerVersion
.
terraform state rm aws_dynamodb_table.binaryalert_yara_matches
Published by austinbyers about 7 years ago
Resolves: #3, #7, #23, #24
live_test
feature to CLIYou can now quickly test the end-to-end functionality of a live BinaryAlert deployment with a single command: python3 manage.py live_test
This will upload a harmless test file which should trigger a YARA match alert. The live test will verify that the match was correctly identified and saved in DynamoDB.
When a file matches a YARA rule, the SNS output format has changed from
{
'FileInfo': { ... },
'MatchedRules': [
{
'RuleFile': 'rules.yara',
'RuleName': 'my_rule_name,
...
}
]
}
to
{
'FileInfo': { ... },
'NumMatchedRules': 2,
'MatchedRules': {
'Rule1': {
'RuleFile': 'rules.yara',
'RuleName': 'my_rule_name,
...
},
'Rule2': { ... }
]
}
The new format is easy to integrate with StreamAlert and renders better in PagerDuty
Published by austinbyers over 7 years ago