{"id":13642352,"url":"https://github.com/CERT-Polska/mquery","last_synced_at":"2025-04-20T16:31:54.317Z","repository":{"id":41512327,"uuid":"133830188","full_name":"CERT-Polska/mquery","owner":"CERT-Polska","description":"YARA malware query accelerator (web frontend)","archived":false,"fork":false,"pushed_at":"2024-05-28T16:18:45.000Z","size":8636,"stargazers_count":402,"open_issues_count":29,"forks_count":75,"subscribers_count":27,"default_branch":"master","last_synced_at":"2024-05-29T07:27:46.439Z","etag":null,"topics":["database","malware","security-automation","security-tools","yara"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"agpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/CERT-Polska.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"docs/security.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-05-17T15:05:04.000Z","updated_at":"2024-05-30T20:27:03.756Z","dependencies_parsed_at":"2024-01-07T09:40:30.444Z","dependency_job_id":"1c3e41a1-0133-4cf3-aae6-9ba3b81f8fb0","html_url":"https://github.com/CERT-Polska/mquery","commit_stats":null,"previous_names":[],"tags_count":5,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CERT-Polska%2Fmquery","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CERT-Polska%2Fmquery/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CERT-Polska%2Fmquery/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CERT-Polska%2Fmquery/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/CERT-Polska","download_url":"https://codeload.github.com/CERT-Polska/mquery/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":223832975,"owners_count":17210757,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["database","malware","security-automation","security-tools","yara"],"created_at":"2024-08-02T01:01:30.341Z","updated_at":"2025-04-20T16:31:54.300Z","avatar_url":"https://github.com/CERT-Polska.png","language":"Python","funding_links":[],"categories":["Python","Tools"],"sub_categories":[],"readme":"# mquery: Blazingly fast Yara queries for malware analysts\n\nEver had trouble searching for malware samples? Mquery is an\nanalyst-friendly web GUI to look through your digital warehouse.\n\nIt can be used to search through terabytes of malware in a blink of an eye:\n\n![mquery web GUI](docs/interface-v1.4.gif)\n\nUnder the hood we use our [UrsaDB](https://github.com/CERT-Polska/ursadb), to\naccelerate yara queries with ngrams.\n\n## Demo\n\nPublic instance will be created soon, stay tuned...\n\n## Quickstart\n\n### 1. Install and start\n\nThe easiest way to do this is with `docker compose`:\n\n```\ngit clone https://github.com/CERT-Polska/mquery.git\ncd mquery\nvim .env  # optional - change samples and index directory locations\ndocker compose up --scale daemon=3  # building the images will take a while\n```\n\nThe web interface should be available at `http://localhost`.\n\n![](./docs/recent-jobs.png)\n\n*(For more installation options see the [installation manual](./INSTALL.md) ).*\n\n### 2. Add the files\n\nPut some files in the `SAMPLES_DIR` (by default `./samples` in the repository,\nconfigurable with variable in the `.env` file).\n\n### 3. Index your collection\n\nLaunch ursacli in docker:\n\n```shell\ndocker compose exec ursadb ursacli\n[2023-06-14 17:20:24.940] [info] Connecting to tcp://localhost:9281\n[2023-06-14 17:20:24.942] [info] Connected to UrsaDB v1.5.1+98421d7 (connection id: 006B8B46B6)\nursadb\u003e\n```\n\nIndex the samples with n-grams of your choosing (this may take a while!)\n\n```shell\nursadb\u003e index \"/mnt/samples\" with [gram3, text4, wide8, hash4];\n[2023-06-14 17:29:27.672] [info] Working... 1% (109 / 8218)\n[2023-06-14 17:29:28.674] [info] Working... 1% (125 / 8218)\n...\n[2023-06-14 17:37:40.265] [info] Working... 99% (8217 / 8218)\n[2023-06-14 17:37:41.266] [info] Working... 99% (8217 / 8218)\n{\n    \"result\": {\n        \"status\": \"ok\"\n    },\n    \"type\": \"ok\"\n}\n```\n\n\nThis will scan samples directory for all new files and index them. You can\nmonitor the progress in the `tasks` window on the left:\n\n![](./docs/indexing.png)\n\nYou have to repeat this process every time you want to add new files!\n\nAfter indexing is over, you will notice new datasets:\n\n![](./docs/indexed-datasets.png)\n\nThis is a good and easy way to start, but if you have a big collection you are\nstrongly encouraged to read [indexing page](./docs/indexing.md) in the manual. \n\n### 4. Test it\n\nNow your files should be searchable - insert any Yara rule into the search\nwindow and click `Query`. Just for demonstration, I've indexed the source code\nof this application and tested this Yara rule:\n\n```\nrule mquery_exceptions {\n    strings: $a = \"Exception\"\n    condition: all of them\n}\n```\n\n![](./docs/query-window.png)\n\n## Learn more\n\nSee the [documentation](./docs/README.md) to learn more. Probably a good idea\nif you plan a bigger deployment.\n\nYou can also read the hosted version here:\n[cert-polska.github.io/mquery/docs](https://cert-polska.github.io/mquery/docs).\n\n## Installation\n\nSee the\n[installation instruction](./INSTALL.md).\n\n## Contributing\n\nIf you want to contribute, see our dedicated\n[documentation for contributors](./CONTRIBUTING.md).\n\n## Changelog\n\nLearn how the project has changed by reading our\n[release log](./RELEASES.md).\n\n## Contact\n\nIf you have any problems, bugs or feature requests related to mquery, you're\nencouraged to create a GitHub issue.\n\nYou can chat about this project on Discord:\n\n[![](https://dcbadge.vercel.app/api/server/3FcP6GQNzd)](https://discord.gg/3FcP6GQNzd)\n\nIf you have questions unsuitable for Github or discord, you can email CERT.PL\n(info@cert.pl) directly.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FCERT-Polska%2Fmquery","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FCERT-Polska%2Fmquery","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FCERT-Polska%2Fmquery/lists"}