spyre: simple YARA-based IOC scanner

by ·

Spyre

Spyre is a simple host-based IOC scanner built around the YARA pattern matching engine and other scan modules. The main goal of this project is the easy operationalization of YARA rules and other indicators of compromise.

Users need to bring their own rule sets. The awesome-yara repository gives a good overview of free yara rule sets out there.

Spyre is intended to be used as an investigation tool by incident responders. It is not meant to evolve into any kind of endpoint protection service.

IOC scanner

Using Spyre is easy:

  1. Add YARA signatures. In its default configuration, Spyre will read YARA rules for file and process scanning from filescan.yar and procscan.yar, respectively. The following options exist for providing rules files to Spyre (and will be tried in this order):

    1. Add the rule files to a ZIP file and append that ZIP file to the binary.
    2. Add the rule files to a ZIP file whose base name is identical to the scanner binary’s base name, i.e. if the Spyre binary is called spyre or spyre.exe, use spyre.zip.
    3. Put the rule files and the scanner binary into the same directory.

    ZIP file contents may be encrypted using the password infected (AV industry standard) to prevent antivirus software from scanning the ruleset, classifying it as malicious content and preventing the scan.

    YARA rule files may contain include statements.

  2. Deploy, run the scanner

  3. Collect report and evidence

Download & Use

Copyright 2018-2020 DCSO Deutsche Cyber-Sicherheitsorganisation GmbH

Copyright 2021 Spyre Project Authors (see: AUTHORS.txt)

Tags: