[Bro] Yara analyser

Seth Hall seth at icir.org
Tue Dec 9 06:43:41 PST 2014

> On Dec 9, 2014, at 4:38 AM, BabbitMail <babbitmail at gmail.com> wrote:
> The code seems to work well for small pcaps - but I wondered about memory exhaustion using std::ostringstream to store files in larger deployments. I just wondered whether this was something that you might consider including in the bro source - i’d be happy to tidy it up if there was enough enthusiasm.

Unfortunately that’s unlikely to work well on live traffic and it could be abused easily.  I’ve actually spent quite a bit of time on making some API updates to Yara to introduce an incremental API and I have a Yara analyzer laying around somewhere that uses the incremental API (it only took about an hour to create the analyzer after I made the API extension in Yara).

I’ve been in contact a bit with Victor Alvarez about getting an incremental analysis API into Yara and I showed him my code.  He responded well but he hasn’t merged my code or update his to add an incremental API yet.  I’ll follow up with him again soon to get his thoughts on it.

In case anyone here wants to take a look at what I’ve done, you can see my Yara branch with an incremental API here:


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

More information about the Bro mailing list