{"id":25526502,"url":"https://github.com/capacitorset/elasticsearch-yara","last_synced_at":"2025-07-02T17:10:48.364Z","repository":{"id":53338482,"uuid":"133128740","full_name":"CapacitorSet/elasticsearch-yara","owner":"CapacitorSet","description":"Yara matching in ElasticSearch.","archived":false,"fork":false,"pushed_at":"2018-06-12T14:29:23.000Z","size":8,"stargazers_count":10,"open_issues_count":3,"forks_count":3,"subscribers_count":4,"default_branch":"master","last_synced_at":"2025-05-26T23:42:41.250Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/CapacitorSet.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2018-05-12T08:39:46.000Z","updated_at":"2022-08-04T18:40:18.000Z","dependencies_parsed_at":"2022-09-08T23:50:55.533Z","dependency_job_id":null,"html_url":"https://github.com/CapacitorSet/elasticsearch-yara","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/CapacitorSet/elasticsearch-yara","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CapacitorSet%2Felasticsearch-yara","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CapacitorSet%2Felasticsearch-yara/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CapacitorSet%2Felasticsearch-yara/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CapacitorSet%2Felasticsearch-yara/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/CapacitorSet","download_url":"https://codeload.github.com/CapacitorSet/elasticsearch-yara/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CapacitorSet%2Felasticsearch-yara/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":263182282,"owners_count":23426637,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-02-19T21:18:41.177Z","updated_at":"2025-07-02T17:10:48.322Z","avatar_url":"https://github.com/CapacitorSet.png","language":"Java","funding_links":[],"categories":[],"sub_categories":[],"readme":"yara-search\n===========\n\nThis plugin allows ElasticSearch to filter events that match one or more [Yara](https://github.com/VirusTotal/yara) rules.\n\n## Usage\n\n * A working installation of Yara is a prerequisite. Install it either through your package manager of choice or by compiling it yourself from git.\n\n * Download the latest zip from the [releases](https://github.com/CapacitorSet/elasticsearch-yara/releases) tab. A release is available for the latest ElasticSearch version; **if you have a different version of ElasticSearch you must compile the plugin yourself** as [required](https://www.elastic.co/guide/en/elasticsearch/plugins/master/plugin-authors.html) by ES. See the \"Compiling\" section for more information.\n\n* Install the plugin: `elasticsearch-plugin install file:///path-to-the-plugin/yara-search.zip`\n\nYou can now run queries like this:\n\n```sh\ncurl -X GET \"localhost:9200/_search?format=yaml\" -H 'Content-Type: application/json' -d '{\n  \"query\": {\n    \"function_score\": {\n      \"min_score\": 1,\n      \"query\": {\n        \"match_all\": {}\n      },\n      \"functions\": [\n        {\n          \"script_score\": {\n            \"script\": {\n                \"source\": \"rule HelloWorld { condition: protocol == \\\"tcp\\\" and port == 9091 }\",\n                \"lang\" : \"yara\",\n                \"params\": {\n                    \"protocol\": \"\",\n                    \"port\": \"\"\n                }\n            }\n          }\n        }\n      ]\n    }\n  }\n}'\n```\n\nThe field `source` contains the Yara rule, the `params` contain default values for variables. This is important, as Yara will throw an error if the rule contains undefined variables.\n\nThe score returned is the number of rules matched. In this case, the function will return `0.0` for items that do not match the rule, and `1.0` for items that match. The condition `\"min_score\": 1` prevents items that do not match the rule from occurring in the output.\n\n## Compiling\n\nCompiling is required if your version of ElasticSearch is different from the one this plugin is released for. This is a requirement of ElasticSearch to account for API changes.\n\nTo compile yara-search, simply install Maven and compile the plugin:\n\n    mvn install\n\nIt will compile and package the plugin in `target/releases/yara-search-0.0.1.zip`; copy it somewhere and proceed to installation.\n\n## Thanks\n\nThis project was developed in the context of the [Google Summer of Code](https://summerofcode.withgoogle.com/) 2018 as part of a contribution to [Honeynet](https://honeynet.org/).\n\nThanks to [David Pilato](http://david.pilato.fr/blog/2016/10/16/creating-a-plugin-for-elasticsearch-5-dot-0-using-maven-updated-for-ga/) for the plugin template.","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcapacitorset%2Felasticsearch-yara","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcapacitorset%2Felasticsearch-yara","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcapacitorset%2Felasticsearch-yara/lists"}