mirror of
https://github.com/gchq/CyberChef
synced 2025-01-22 09:15:03 +00:00
91 lines
3.1 KiB
JavaScript
91 lines
3.1 KiB
JavaScript
/**
|
|
* YARA Rules tests.
|
|
*
|
|
* @author Matt C [matt@artemisbot.uk]
|
|
*
|
|
* @copyright Crown Copyright 2019
|
|
* @license Apache-2.0
|
|
*/
|
|
import TestRegister from "../../lib/TestRegister.mjs";
|
|
|
|
const CONSOLE_COMPILE_WARNING_RULE = `import "console"
|
|
rule a
|
|
{
|
|
strings:
|
|
$s=" "
|
|
condition:
|
|
$s and console.log("log rule a")
|
|
}
|
|
rule b
|
|
{
|
|
strings:
|
|
$s=" "
|
|
condition:
|
|
$s and console.hex("log rule b: int8(0)=", int8(0))
|
|
}`;
|
|
|
|
TestRegister.addTests([
|
|
{
|
|
name: "YARA Match: simple foobar",
|
|
input: "foobar foobar bar foo foobar",
|
|
expectedOutput: "Rule \"foo\" matches (4 times):\nPos 0, length 3, identifier $re1, data: \"foo\"\nPos 7, length 3, identifier $re1, data: \"foo\"\nPos 18, length 3, identifier $re1, data: \"foo\"\nPos 22, length 3, identifier $re1, data: \"foo\"\nRule \"bar\" matches (4 times):\nPos 3, length 3, identifier $re1, data: \"bar\"\nPos 10, length 3, identifier $re1, data: \"bar\"\nPos 14, length 3, identifier $re1, data: \"bar\"\nPos 25, length 3, identifier $re1, data: \"bar\"\n",
|
|
recipeConfig: [
|
|
{
|
|
"op": "YARA Rules",
|
|
"args": ["rule foo {strings: $re1 = /foo/ condition: $re1} rule bar {strings: $re1 = /bar/ condition: $re1}", true, true, true, true],
|
|
}
|
|
],
|
|
},
|
|
{
|
|
name: "YARA Match: hashing rules",
|
|
input: "Hello World!",
|
|
expectedOutput: "Input matches rule \"HelloWorldMD5\".\nInput matches rule \"HelloWorldSHA256\".\n",
|
|
recipeConfig: [
|
|
{
|
|
"op": "YARA Rules",
|
|
"args": [
|
|
`import "hash"
|
|
rule HelloWorldMD5 {
|
|
condition:
|
|
hash.md5(0,filesize) == "ed076287532e86365e841e92bfc50d8c"
|
|
}
|
|
|
|
rule HelloWorldSHA256 {
|
|
condition:
|
|
hash.sha256(0,filesize) == "7f83b1657ff1fc53b92dc18148a1d65dfc2d4b1fa3d677284addd200126d9069"
|
|
}`,
|
|
true, true, true, true, false, false
|
|
],
|
|
}
|
|
],
|
|
},
|
|
{
|
|
name: "YARA Match: compile warnings",
|
|
input: "CyberChef Yara",
|
|
expectedOutput: "Warning on line 5: string \"$s\" may slow down scanning\n" +
|
|
"Warning on line 12: string \"$s\" may slow down scanning\n" +
|
|
"Input matches rule \"a\".\n" +
|
|
"Input matches rule \"b\".\n",
|
|
recipeConfig: [
|
|
{
|
|
"op": "YARA Rules",
|
|
"args": [CONSOLE_COMPILE_WARNING_RULE, false, false, false, false, true, false],
|
|
}
|
|
],
|
|
},
|
|
{
|
|
name: "YARA Match: console messages",
|
|
input: "CyberChef Yara",
|
|
expectedOutput: "log rule a\n" +
|
|
"log rule b: int8(0)=0x43\n" +
|
|
"Input matches rule \"a\".\n" +
|
|
"Input matches rule \"b\".\n",
|
|
recipeConfig: [
|
|
{
|
|
"op": "YARA Rules",
|
|
"args": [CONSOLE_COMPILE_WARNING_RULE, false, false, false, false, false, true],
|
|
}
|
|
],
|
|
},
|
|
]);
|
|
|