Trendshift - Ask AI

base on 🔍🔍 Malware scanner for cloud-native, as part of CI/CD and at Runtime 🔍🔍 [<img src="https://img.shields.io/badge/documentation-read-green">](https://docs.deepfence.io/yarahunter/) [![GitHub license](https://img.shields.io/github/license/deepfence/YaraHunter)](https://github.com/deepfence/YaraHunter/blob/master/LICENSE) [![GitHub stars](https://img.shields.io/github/stars/deepfence/YaraHunter)](https://github.com/deepfence/YaraHunter/stargazers) [![Hacktoberfest](https://img.shields.io/github/hacktoberfest/2022/deepfence/YaraHunter)](https://github.com/deepfence/YaraHunter/issues) [![GitHub issues](https://img.shields.io/github/issues/deepfence/YaraHunter)](https://github.com/deepfence/YaraHunter/issues) [![Slack](https://img.shields.io/badge/[email protected]?logo=slack)](https://join.slack.com/t/deepfence-community/shared_invite/zt-podmzle9-5X~qYx8wMaLt9bGWwkSdgQ) # YaraHunter Deepfence YaraHunter scans container images, running Docker containers, and filesystems to find indicators of malware. It uses a [YARA ruleset](https://github.com/deepfence/yara-rules) to identify resources that match known malware signatures, and may indicate that the container or filesystem has been compromised. YaraHunter can be used in the following ways: - **At build-and-test**: scan build artifacts in the CI/CD pipeline, reporting on possible indicators of malware - **At rest**: scan local container images, for example, before they are deployed, to verify they do not contain malware - **At runtime**: scan running docker containers, for example, if you observe unusual network traffic or CPU activity - **Against filesystems**: at any time, YaraHunter can scan a local filesystems for indicators of compromise Key capabilities: - Scan running and at-rest containers; scan filesystems; scan during CI/CD build operations - Run anywhere: highly-portable, docker container form factor - Designed for automation: easy-to-deploy, easy-to-parse JSON output YaraHunter is a work-in-progress (check the [Roadmap](https://github.com/deepfence/YaraHunter/projects) and [issues list](issues)), and will be integrated into the [ThreatMapper](https://github.com/deepfence/ThreatMapper) threat discovery platform. We welcome any contributions to help to improve this tool. ## Quick Start For full instructions, refer to the [YaraHunter Documentation](https://docs.deepfence.io/docs/yarahunter/). ![demo gif](demo.gif) ## Example: Finding Indicators of Compromise in a container image Images may be compromised with the installation of a cryptominer such as XMRig. In the following example, we'll scan a legitimiate cryptominer image that contains the same xmrig software that is often installed through an exploit: Pull the official **yarahunter** image: ``` docker pull quay.io/deepfenceio/deepfence_malware_scanner_ce:2.5.2 ``` or Build it from source clone this repo and run below command ``` make docker ``` ### Generate License Key Run this command to generate a license key. Work/official email id has to be used. ```shell curl https://license.deepfence.io/threatmapper/generate-license?first_name=<FIRST_NAME>&last_name=<LAST_NAME>&email=<EMAIL>&company=<ORGANIZATION_NAME>&resend_email=true ``` ### Scan Pull the image that needs to be scanned for example `metal3d/xmrig` and scan it: ``` docker pull metal3d/xmrig ``` Set Product and Licence and scan it: ``` docker run -i --rm --name=deepfence-yarahunter \ -e DEEPFENCE_PRODUCT=<ThreatMapper or ThreatStryker> \ -e DEEPFENCE_LICENSE=<ThreatMapper or ThreatStryker license key> \ -v /var/run/docker.sock:/var/run/docker.sock \ -v /tmp:/home/deepfence/output \ quay.io/deepfenceio/deepfence_malware_scanner_ce:2.5.2 \ --image-name metal3d/xmrig:latest \ --output=json > xmrig-scan.json ``` This returns, among other things, clear indication of the presence of XMRig. Note that we store the output (`xmrig-scan.json`) for quick and easy manipulation: Rules can also be cached to use next run by mounting a seperate path and passing `rules-path` argument ``` docker run -i --rm --name=deepfence-yarahunter \ -e DEEPFENCE_PRODUCT=<ThreatMapper or ThreatStryker> \ -e DEEPFENCE_LICENSE=<ThreatMapper or ThreatStryker license key> \ -v /var/run/docker.sock:/var/run/docker.sock \ -v /tmp:/home/deepfence/output \ -v /tmp/rules:/tmp/rules \ quay.io/deepfenceio/deepfence_malware_scanner_ce:2.5.2 \ --image-name metal3d/xmrig:latest \ --output=json \ --rules-path=/tmp/rules > xmrig-scan.json ``` ``` # Extract the IOC array values. From these, extract the values of the 'Matched Rule Name' key cat /tmp/xmrig-scan.json | jq '.IOC[] | ."Matched Rule Name"' ``` This returns a list of the IOCs identified in the container we scanned. To get table formatted output omit `--output=json` flag ## Get in touch Thank you for using YaraHunter. - [<img src="https://img.shields.io/badge/documentation-read-green">](https://docs.deepfence.io/docs/yarahunter/) Start with the documentation - [<img src="https://img.shields.io/badge/[email protected]?logo=slack">](https://join.slack.com/t/deepfence-community/shared_invite/zt-podmzle9-5X~qYx8wMaLt9bGWwkSdgQ) Got a question, need some help? Find the Deepfence team on Slack - [![GitHub issues](https://img.shields.io/github/issues/deepfence/YaraHunter)](https://github.com/deepfence/YaraHunter/issues) Got a feature request or found a bug? Raise an issue - [productsecurity _at_ deepfence _dot_ io](SECURITY.md): Found a security issue? Share it in confidence - Find out more at [deepfence.io](https://deepfence.io/) ## Security and Support For any security-related issues in the YaraHunter project, contact [productsecurity _at_ deepfence _dot_ io](SECURITY.md). Please file GitHub issues as needed, and join the Deepfence Community [Slack channel](https://join.slack.com/t/deepfence-community/shared_invite/zt-podmzle9-5X~qYx8wMaLt9bGWwkSdgQ). ## License The Deepfence YaraHunter project (this repository) is offered under the [Apache2 license](https://www.apache.org/licenses/LICENSE-2.0). [Contributions](CONTRIBUTING.md) to Deepfence YaraHunter project are similarly accepted under the Apache2 license, as per [GitHub's inbound=outbound policy](https://docs.github.com/en/github/site-policy/github-terms-of-service#6-contributions-under-repository-license). # Disclaimer This tool is not meant to be used for hacking. Please use it only for legitimate purposes like detecting indicator of compromise on the infrastructure you own, not on others' infrastructure. DEEPFENCE shall not be liable for loss of profit, loss of business, other financial loss, or any other loss or damage which may be caused, directly or indirectly, by the inadequacy of YaraHunter for any purpose or use thereof or by any defect or deficiency therein. ", Assign "at most 3 tags" to the expected json: {"id":"751","tags":[]} "only from the tags list I provide: [{"id":77,"name":"3d"},{"id":89,"name":"agent"},{"id":17,"name":"ai"},{"id":54,"name":"algorithm"},{"id":24,"name":"api"},{"id":44,"name":"authentication"},{"id":3,"name":"aws"},{"id":27,"name":"backend"},{"id":60,"name":"benchmark"},{"id":72,"name":"best-practices"},{"id":39,"name":"bitcoin"},{"id":37,"name":"blockchain"},{"id":1,"name":"blog"},{"id":45,"name":"bundler"},{"id":58,"name":"cache"},{"id":21,"name":"chat"},{"id":49,"name":"cicd"},{"id":4,"name":"cli"},{"id":64,"name":"cloud-native"},{"id":48,"name":"cms"},{"id":61,"name":"compiler"},{"id":68,"name":"containerization"},{"id":92,"name":"crm"},{"id":34,"name":"data"},{"id":47,"name":"database"},{"id":8,"name":"declarative-gui "},{"id":9,"name":"deploy-tool"},{"id":53,"name":"desktop-app"},{"id":6,"name":"dev-exp-lib"},{"id":59,"name":"dev-tool"},{"id":13,"name":"ecommerce"},{"id":26,"name":"editor"},{"id":66,"name":"emulator"},{"id":62,"name":"filesystem"},{"id":80,"name":"finance"},{"id":15,"name":"firmware"},{"id":73,"name":"for-fun"},{"id":2,"name":"framework"},{"id":11,"name":"frontend"},{"id":22,"name":"game"},{"id":81,"name":"game-engine "},{"id":23,"name":"graphql"},{"id":84,"name":"gui"},{"id":91,"name":"http"},{"id":5,"name":"http-client"},{"id":51,"name":"iac"},{"id":30,"name":"ide"},{"id":78,"name":"iot"},{"id":40,"name":"json"},{"id":83,"name":"julian"},{"id":38,"name":"k8s"},{"id":31,"name":"language"},{"id":10,"name":"learning-resource"},{"id":33,"name":"lib"},{"id":41,"name":"linter"},{"id":28,"name":"lms"},{"id":16,"name":"logging"},{"id":76,"name":"low-code"},{"id":90,"name":"message-queue"},{"id":42,"name":"mobile-app"},{"id":18,"name":"monitoring"},{"id":36,"name":"networking"},{"id":7,"name":"node-version"},{"id":55,"name":"nosql"},{"id":57,"name":"observability"},{"id":46,"name":"orm"},{"id":52,"name":"os"},{"id":14,"name":"parser"},{"id":74,"name":"react"},{"id":82,"name":"real-time"},{"id":56,"name":"robot"},{"id":65,"name":"runtime"},{"id":32,"name":"sdk"},{"id":71,"name":"search"},{"id":63,"name":"secrets"},{"id":25,"name":"security"},{"id":85,"name":"server"},{"id":86,"name":"serverless"},{"id":70,"name":"storage"},{"id":75,"name":"system-design"},{"id":79,"name":"terminal"},{"id":29,"name":"testing"},{"id":12,"name":"ui"},{"id":50,"name":"ux"},{"id":88,"name":"video"},{"id":20,"name":"web-app"},{"id":35,"name":"web-server"},{"id":43,"name":"webassembly"},{"id":69,"name":"workflow"},{"id":87,"name":"yaml"}]" returns me the "expected json"

AI prompts

AI prompts