{"id":18830785,"url":"https://github.com/nextronsystems/valhallaapi","last_synced_at":"2025-04-14T03:43:43.254Z","repository":{"id":65008645,"uuid":"174380896","full_name":"NextronSystems/valhallaAPI","owner":"NextronSystems","description":"Valhalla API Client","archived":false,"fork":false,"pushed_at":"2023-01-18T07:49:57.000Z","size":172,"stargazers_count":68,"open_issues_count":5,"forks_count":14,"subscribers_count":7,"default_branch":"master","last_synced_at":"2025-03-27T17:47:05.587Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/NextronSystems.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2019-03-07T16:25:53.000Z","updated_at":"2025-02-22T16:59:01.000Z","dependencies_parsed_at":"2023-02-10T13:40:24.000Z","dependency_job_id":null,"html_url":"https://github.com/NextronSystems/valhallaAPI","commit_stats":null,"previous_names":[],"tags_count":9,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NextronSystems%2FvalhallaAPI","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NextronSystems%2FvalhallaAPI/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NextronSystems%2FvalhallaAPI/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NextronSystems%2FvalhallaAPI/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/NextronSystems","download_url":"https://codeload.github.com/NextronSystems/valhallaAPI/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248819118,"owners_count":21166470,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-08T01:50:46.166Z","updated_at":"2025-04-14T03:43:43.229Z","avatar_url":"https://github.com/NextronSystems.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# valhallaAPI\n\nThis module allows you to interact with the Valhalla API, retrieve YARA and Sigma rules in different formats, filter them and write them to disk. You can find more information about Valhalla on [our website](https://www.nextron-systems.com/yara-rule-feed/). The web interface, which doesn't have the filtering features of the Python module and the client, can be accessed [here](https://valhalla.nextron-systems.com/). \n\nIt contains a Python module `valhallaAPI` and a Python command line API client `valhalla-cli`. \n\n# Python Module\n\nThe web API allows you to retrieve the subscribed rules. \n\nThe 4 main functions of the Python module are:\n\n- `get_rules_text()` retrieves YARA rules as text\n- `get_rules_json()` retrieves YARA rules as JSON\n- `get_sigma_rules_zip()` retrieves Sigma rules as ZIP\n- `get_sigma_rules_json()` retrieves Sigma rules as JSON\n\nThe module provides functions to filter the retrieved rules based on \n- tags\n- score (YARA only)\n- keywords\n- supported YARA version and required YARA modules\n\nIt also allows you to retrieve a filtered rule set that fits the product that you use to apply the rules. For example, you can get a filtered rule set with rules that will run on your `FireEyeEX` appliance by filtering all rules that use feature only available in YARA versions higher than the supported `1.7.0`. \n\nThere are 2 extra functions for special lookups in the Valhalla database (for customers only):\n\n- `get_rule_info` retrieves rule information and all matching sample hashes\n- `get_hash_info` retrieves all rules matching on a certain sha256 hash\n- `get_sigma_rule_info` retrieves sigma rule information\n\n## Demo Access\n\nThere is a demo API key that can be used for testing purposes. \n\n```\n1111111111111111111111111111111111111111111111111111111111111111\n```\n\nIt will allow you to retrieve the processed public [signature-base](https://github.com/Neo23x0/signature-base) YARA and [SigmaHQ](https://github.com/SigmaHQ/sigma) Sigma rule sets.\n\nThe key will also allow you to query the rule info for a single rule, which is:\n```\nCasing_Anomaly_ByPass\n```\n\nPlease note that Valhalla has protection mechanisms in place that will block your end of the Bifrost for a significant amount of time if you try foolish things. \n\n## Getting Started\n\n```bash\npip install valhallaAPI\n```\n\nNotes: \n- make sure to use Python 3.6 or higher\n- you may need to use `pip3 install valhallaAPI` on Debian systems\n\n## Usage\n\nGet a service status (does not require a valid API key)\n```python\nfrom valhallaAPI.valhalla import ValhallaAPI\n\nv = ValhallaAPI()\nstatus = v.get_status()\n```\n\nResponse \n```json\n{\n \"error\": \"none\", \n \"num_rules\": 10463, \n \"status\": \"green\", \n \"version\": 2020051212\n}\n```\n\n### Text Rules\n\nGet all subscribed rules as text and save them to a file\n```python\nfrom valhallaAPI.valhalla import ValhallaAPI\n\nv = ValhallaAPI(api_key=\"Your API Key\")\nresponse = v.get_rules_text()\n\nwith open('valhalla-rules.yar', 'w') as fh:\n fh.write(response)\n```\n\nOr use the DEMO API key, which allows you to retrieve all public rules\n```python\nfrom valhallaAPI.valhalla import ValhallaAPI\n\nv = ValhallaAPI(api_key=\"1111111111111111111111111111111111111111111111111111111111111111\")\nresponse = v.get_rules_text()\n\nwith open('valhalla-rules.yar', 'w') as fh:\n fh.write(response)\n```\n\nGet all subscribed rules with a minimum score of 75 and save it to a file\n```python\nresponse = v.get_rules_text(score=75)\n```\n\nGet all subscribed rules that contain the keyword `Mimikatz` and save them to a file\n```python\nresponse = v.get_rules_text(search=\"Mimikatz\")\n```\n\nGet all subscribed rules for your scan engine, which supports YARA up to version `3.2.0` and the `pe` module, and save them to a file\n```python\nresponse = v.get_rules_text(max_version=\"3.2.0\", modules=['pe'])\n```\n\nGet all subscribed rules for your `FireEyeEX`\n```python\n\nfrom valhallaAPI.valhalla import ValhallaAPI\n\nv = ValhallaAPI(api_key=\"Your API Key\")\nresponse = v.get_rules_text(product=\"FireEyeEX\")\n```\n\nThe following products have predefined presets\n```python\n FIREEYEAX = \"FireEyeAX\"\n FIREEYENX = \"FireEyeNX\"\n FIREEYEEX = \"FireEyeEX\"\n CARBONBLACK = \"CarbonBlack\"\n```\n\nAn example response will look like\n```yara\n/*\n VALHALLA YARA RULE SET\n Retrieved: 2019-02-25 14:54\n Generated for User: a67\n Number of Rules: 8127\n ANY REPRODUCTION OR DISTRIBUTION IS STRICTLY PROHIBITED WITHOUT THE PRIOR WRITTEN CONSENT OF NEXTRON SYSTEMS AND MAY RESULT IN LEGAL ACTION AS WELL AS THE TERMINATION OF THE CONTRACTUAL RELATIONSHIP\n*/\n\nimport \"pe\"\n\nrule SUSP_Katz_PDB_RID664 : EXE SUSP DEMO FILE {\n meta:\n description = \"Detects suspicious PDB in file\"\n author = \"Florian Roth\"\n reference = \"Internal Research\"\n date = \"2019-02-04 10:32:31\"\n score = 70\n customer = \"demo\"\n copyright = \"Distribution to third parties is not permitted and will be pursued with legal measurements\" \n minimum_yara = \"1.7\"\n \n strings:\n $s1 = /\\\\Release\\\\[a-z]{0,8}katz.pdb/ \n $s2 = /\\\\Debug\\\\[a-z]{0,8}katz.pdb/ \n condition: \n uint16 ( 0 ) == 0x5a4d and filesize \u003c 6000KB and all of them\n} \n...\n```\n\n### JSON Output\n\nGet all subscribed rules with the `APT` tag as `JSON` and save them to a file\n```python\nimport json\nfrom valhallaAPI.valhalla import ValhallaAPI\n\nv = ValhallaAPI(api_key=\"Your API Key\")\nresponse = v.get_rules_json(tags=['APT'])\n\nwith open('valhalla-rules.json', 'w') as fh:\n fh.write(json.dumps(response)) \n```\n\nAn example response will look like\n```json\n{\n \"api_version\": \"1.0\", \n \"copyright\": \"Nextron Systems GmbH\", \n \"customer\": \"demo\", \n \"date\": \"2019-03-07 10:55\", \n \"legal_note\": \"Any reproduction or distribution is strictly prohibited without the prior written consent of Nextron Systems and may result in legal action as well as the termination of the contractual relationship\", \n \"rules\": [\n {\n \"author\": \"Florian Roth\", \n \"content\": \"rule EXP_Libre_Office_CVE_2018_16858_RIDBA9 : EXPLOIT OFFICE DEMO FILE APT {\\n meta:\\n description = \\\"Detects exploits addressing CVE-2018-16858 in LibreOffice - modified version\\\"\\n author = \\\"Florian Roth\\\"\\n reference = \\\"https://insert-script.blogspot.com/2019/02/libreoffice-cve-2018-16858-remote-code.html\\\"\\n date = \\\"2019-02-05 14:17:21\\\"\\n score = 70\\n customer = \\\"demo\\\"\\n copyright = \\\"Distribution to third parties is not permitted and will be pursued with legal measurements\\\" \\n minimum_yara = \\\"1.7\\\"\\n \\n strings:\\n $x1 = \\\"\u0026#x74;\u0026#x65;\u0026#x6d;\u0026#x70;\u0026#x66;\u0026#x69;\u0026#x6c;\u0026#x65;\u0026#x70;\u0026#x61;\u0026#x67;\u0026#x65;\u0026#x72\\\" \\n $x2 = \\\"\u0026#116;\u0026#101;\u0026#109;\u0026#112;\u0026#102;\u0026#105;\u0026#108;\u0026#101;\u0026#112;\u0026#97;\u0026#103;\u0026#101;\u0026#114;\\\" \\n $s1 = \\\"xlink:href=\\\\\\\"vnd.sun.star.script:\\\" ascii nocase\\n $s2 = \\\".py$tempfilepager\\\" ascii nocase\\n $s3 = \\\"language=Python\\\" ascii nocase\\n condition: \\n uint32be ( 0 ) == 0x3c3f786d and all of them or 1 of ( $x* )\\n}\", \n \"date\": \"2019-02-05 12:54:31\", \n \"description\": \"Detects exploits addressing CVE-2018-16858 in LibreOffice - modified version\", \n \"minimum_yara\": \"1.7\", \n \"name\": \"EXP_Libre_Office_CVE_2018_16858_RID9B8\", \n \"reference\": \"https://insert-script.blogspot.com/2019/02/libreoffice-cve-2018-16858-remote-code.html\", \n \"required_modules\": [], \n \"score\": 70, \n \"tags\": [\n \"EXPLOIT\", \n \"OFFICE\", \n \"DEMO\", \n \"FILE\",\n \"APT\"\n ]\n }, \n ...\n```\n\n### Rule Info\n\nGet the information for rule `Casing_Anomaly_ByPass`\n```python\nfrom valhallaAPI.valhalla import ValhallaAPI\n\nv = ValhallaAPI(api_key=\"Your API Key\")\nresponse = v.get_rule_info(rulename=\"Casing_Anomaly_ByPass\")\n```\n\nNote that the rule info for `Casing_Anomaly_ByPass` is the only info that you can retrieve with the DEMO API key. \nIMPORTANT: The rule info endpoint is rate limited. You can use it for single lookups. Bulk requests lead to bans.\n\nAn example output of a rule info request will look like\n```json\n{\n \"author\": \"Florian Roth\", \n \"av_ratio\": 16.52, \n \"av_verdicts\": {\n \"clean\": 1, \n \"malicious\": 21, \n \"suspicious\": 27\n }, \n \"date\": \"2019-01-17 11:50:21\", \n \"description\": \"Detects suspicious casing of bypass statement\", \n \"minimum_yara\": \"1.7\", \n \"name\": \"Casing_Anomaly_ByPass_RID837\", \n \"reference\": \"Internal Research\", \n \"required_modules\": [], \n \"rule_matches\": [\n {\n \"hash\": \"bdde03b5b4f94ec7dbf947f3099f2009efac43b69659f788f513d3e615b98353\", \n \"positives\": 24, \n \"size\": 319485, \n \"timestamp\": \"Thu, 07 Mar 2019 06:29:06 GMT\", \n \"total\": 56\n }, \n {\n \"hash\": \"646d446fb11eae76ca8b6e54306bb022431a4f20cc8cef5daa40dd6ec3537aff\", \n \"positives\": 3, \n \"size\": 573, \n \"timestamp\": \"Thu, 07 Mar 2019 00:15:07 GMT\", \n \"total\": 57\n }\n ], \n \"score\": 60, \n \"tags\": [\n \"SUSP\", \n \"CASING\"\n ] \n}\n```\n\n### Hash Info\n\nGet the information for hash `8a883a74702f83a273e6c292c672f1144fd1cce8ee126cd90c95131e870744af` (only SHA256 hashes are supported)\n\n```python\nfrom valhallaAPI.valhalla import ValhallaAPI\n\nv = ValhallaAPI(api_key=\"Your API Key\")\nresponse = v.get_hash_info(hash=\"8a883a74702f83a273e6c292c672f1144fd1cce8ee126cd90c95131e870744af\")\n```\n\nAn example output of a hash info request will look like\n```json\n{\n \"api_version\": \"1.0.1\",\n \"results\": [\n {\n \"positives\": 4,\n \"rulename\": \"Casing_Anomaly_ByPass\",\n \"tags\": [\n \"T1027\",\n \"SUSP\",\n \"CASING\"\n ],\n \"timestamp\": \"Tue, 11 Jun 2019 23:57:10 GMT\",\n \"total\": 58\n },\n {\n \"positives\": 4,\n \"rulename\": \"Casing_Anomaly_Convert_PS\",\n \"tags\": [\n \"T1027\",\n \"CASING\",\n \"SCRIPT\",\n \"T1064\"\n ],\n \"timestamp\": \"Tue, 11 Jun 2019 23:57:12 GMT\",\n \"total\": 58\n },\n {\n \"positives\": 4,\n \"rulename\": \"Casing_Anomaly_PowerShell\",\n \"tags\": [\n \"T1027\",\n \"CASING\",\n \"SCRIPT\",\n \"T1064\",\n \"T1086\"\n ],\n \"timestamp\": \"Tue, 11 Jun 2019 23:57:13 GMT\",\n \"total\": 58\n }\n ],\n \"status\": \"success\"\n}\n```\n\n### Keyword Lookup\n\n(only available for customers)\n\nGet all rules based on a keyword search (e.g. `Turla`, `Bypass` or `PlugX`)\n\n```python\nfrom valhallaAPI.valhalla import ValhallaAPI\n\nv = ValhallaAPI(api_key=\"Your API Key\")\nresponse = v.get_keyword_rules(keyword=\"Turla\")\n```\n\nAn example output of a keyword request will look like\n```json\n{\n \"api_version\": \"1.1.0\",\n \"results\": [\n {\n \"date\": \"2020-12-02\",\n \"description\": \"Detects forensic artefacts as reported in Turla Crutch report\",\n \"name\": \"APT_RU_Turla_CrutchReport_ForensicArtefacts_Dec20_1\",\n \"reference\": \"https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/\",\n \"required_modules\": []\n },\n {\n \"date\": \"2020-12-02\",\n \"description\": \"Detects Turla Crutch malware\",\n \"name\": \"APT_RU_Turla_CrutchReport_Crutch_Dec20_1\",\n \"reference\": \"https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/\",\n \"required_modules\": []\n },\n ...\n ],\n \"status\": \"success\"\n}\n```\n\n### Keyword Matches Lookup\n\n(only available for customers)\n\nGet all sample matches of rules selected by keyword search (e.g. `Turla`, `Bypass` or `PlugX`)\n\n```python\nfrom valhallaAPI.valhalla import ValhallaAPI\n\nv = ValhallaAPI(api_key=\"Your API Key\")\nresponse = v.get_keyword_rule_matches(keyword=\"LuckyMouse\")\n```\n\nAn example output of a keyword request will look like\n```json\n{\n \"api_version\": \"1.1.0\",\n \"results\": [\n {\n \"hash\": \"00847787ea6568cfaaa762f4ee333b44f35a34e90858c1c8899144be016510ef\",\n \"positives\": 44,\n \"rulename\": \"APT_MAL_CN_LuckyMouse_Loader_Dec20_2\",\n \"size\": 81920,\n \"timestamp\": \"Mon, 28 Dec 2020 09:45:12 GMT\",\n \"total\": 70\n },\n {\n \"hash\": \"c2dc17bdf16a609cdb5a93bf153011d67c6206f7608931b1ca1c1d316b5ad54f\",\n \"positives\": 49,\n \"rulename\": \"APT_MAL_CN_LuckyMouse_Loader_Dec20_2\",\n \"size\": 81920,\n \"timestamp\": \"Thu, 10 Dec 2020 17:04:55 GMT\",\n \"total\": 68\n },\n {\n \"hash\": \"2b1d6a8538452e3b315283c124f6ee7e27dfd55f52996d3aa89a5919f80e0ef7\",\n \"positives\": 13,\n \"rulename\": \"APT_LuckyMouse_Mal_1\",\n \"size\": 81920,\n \"timestamp\": \"Fri, 23 Oct 2020 16:22:19 GMT\",\n \"total\": 70\n },\n {\n \"hash\": \"b85aee07213836bd8784852860ff3b180d71f36fd98d49cc432162aa2234f99d\",\n \"positives\": 12,\n \"rulename\": \"APT_MAL_LuckyMouse_EmissaryPanda_Gen_May19_1\",\n \"size\": 71680,\n \"timestamp\": \"Thu, 30 Jan 2020 20:18:48 GMT\",\n \"total\": 70\n },\n {\n \"hash\": \"a8a2221814aab518db0a48d9646f598d9da1bd6c749a792a3605a562eac79980\",\n \"positives\": 0,\n \"rulename\": \"APT_MAL_LuckyMouse_EmissaryPanda_Gen_May19_1\",\n \"size\": 45568,\n \"timestamp\": \"Sat, 07 Dec 2019 13:45:06 GMT\",\n \"total\": 68\n },\n {\n \"hash\": \"2dde8881cd9b43633d69dfa60f23713d7375913845ac3fe9b4d8a618660c4528\",\n \"positives\": 43,\n \"rulename\": \"APT_MAL_LuckyMouse_EmissaryPanda_Gen_May19_1\",\n \"size\": 71680,\n \"timestamp\": \"Thu, 30 May 2019 02:37:05 GMT\",\n \"total\": 70\n }\n ],\n \"status\": \"success\"\n}\n```\n\n\n# API Client\n\nThe API client allows you to query the Web API from command line. It requires Python3. \n\n## Getting Started\n\nInstall Python3 and then run the following command:\n\n```bash\npip3 install valhallaAPI\n```\nYou should then be able to run `valhalla-cli` from command line using a Linux or macOS system. \n\nOn Windows, do the following:\n```bash\nwhere valhalla-cli\n```\nCopy the full path and then run \n```bash\npython C:\\Python37\\Scripts\\valhalla-cli\n```\nor just download the precompiled `valhalla-cli.exe` from the latest release in the `release` section. \n\n## Usage\n\n```\nusage: valhalla-cli [-h] [-k apikey] [-c config-file] [-o output-file] [--check] [--debug] [-p proxy-url] [-pu proxy-user] [-pp proxy-pass] [-fp product] [-fv yara-version] [-fm modules [modules ...]]\n [-ft tags [tags ...]] [-fs score] [-fq query] [--nocrypto] [-lr lookup-rule] [-lh lookup-hash] [-lk lookup-keyword] [-lkm lookup-keyword] [-lo lookup-output]\n\nValhalla-CLI\n\noptional arguments:\n -h, --help show this help message and exit\n -k apikey API KEY\n -c config-file Config file (see README for details)\n -o output-file output file\n -s Load sigma rules\n --check Check subscription info and total rule count\n --debug Debug output\n\n=======================================================================\nProxy:\n -p proxy-url proxy URL (e.g. https://my.proxy.net:8080)\n -pu proxy-user proxy user\n -pp proxy-pass proxy password\n\n=======================================================================\nFilter:\n -fp product filter product (valid products are: FireEyeAX, FireEyeNX, FireEyeEX, CarbonBlack, Tanium, Tenable, SymantecMAA, osquery, GRR, McAfeeATD3, McAfeeATD4)\n -fv yara-version get rules that support the given YARA version and lower\n -fm modules [modules ...]\n set a list of modules that your product supports (e.g. \"-fm pe hash\") (setting no modules means that all modules are supported by your product)\n -ft tags [tags ...] set a list of tags to receive (e.g. \"-ft APT MAL\")\n -fs score minimum score of rules to retrieve (e.g. \"-fs 75\")\n -fq query get only rules that match a certain keyword in name or description (e.g. \"-fq Mimikatz\")\n --nocrypto filter all rules that require YARA to be compiled with crypto support (OpenSSL)\n\n=======================================================================\nLookups:\n -lr lookup-rule Lookup a certain rule (returns matching samples)\n -lh lookup-hash Lookup a certain sample hash (sha256) (returns matching rules)\n -lk lookup-keyword Lookup rules with a certain keyword (returns matching rules)\n -lkm lookup-keyword Lookup hashes of samples on which rules have matches that contain a certain keyword (returns matching sample hashes)\n -lo lookup-output Output file for the lookup output\n```\n\n## Examples\n\nCheck the status of the demo user subscription\n```bash\nvalhalla-cli --check\n```\n\nCheck the status of your subscription\n```bash\nvalhalla-cli -k YOUR-API-KEY --check\n```\n\nGet all subscribed rules and save them to `valhalla-rules.yar`\n```bash\nvalhalla-cli -k YOUR-API-KEY\n```\n\nGet all sigma rules and save them to `valhalla-rules.zip`\n```bash\nvalhalla-cli -k YOUR-API-KEY -s\n```\n\nGet rules with score higher than 75 and save them to `valhalla-rules.yar`\n```bash\nvalhalla-cli -k YOUR-API-KEY -fs 75\n```\n\nGet rules that work with CarbonBlack and save them to `valhalla-april-cb.yar`\n```bash\nvalhalla-cli -k YOUR-API-KEY -fp CarbonBlack -o valhalla-april-cb.yar\n```\n\nGet rules that contain the keyword `Mimikatz` and save them to `mimikatz-rules.yar`\n```bash\nvalhalla-cli -k YOUR-API-KEY -fq Mimikatz -o mimikatz-rules.yar\n```\n\nGet a set of rules with the highest compatibility (lowest requirements) using the demo API key\n```bash\nvalhalla-cli -fv 1.7\n```\n\nGet list of rules for the keyword `Turla`\n```bash\nvalhalla-cli -k YOUR-API-KEY -lk Turla\n```\n\nGet all matches of rules that matched on the keyword `Turla` (limit 10,000 results)\n```bash\nvalhalla-cli -k YOUR-API-KEY -lkm Turla\n```\n\n# Config File\n\nValhalla-CLI will check `~/.valhalla` as the default location for a config file. \n\nThe config file currently contains nothing but the API key and mus look like:\n\n```ini\n[DEFAULT]\nAPIKEY = 786feaef202a37a8d693c57b1aeb7c8995313e358b901015c4e60033776929c3\n```\n\n# Lookups \n\nValhalla-CLI has certain functions to perform lookups on its database. \n\nThe lookups return JSON output. You can use the `-lo file` option to save the JSON results to a file.\n\n## Hash Lookups\n\nHash lookup can be used to search the Valhalla database for a certain hash (SHA256 only). \n\n```bash\n./valhalla-cli -lh 8a883a74702f83a273e6c292c672f1144fd1cce8ee126cd90c95131e870744af\n```\n\nIt will return a JSON structure. \n\n````json\n{\n \"api_version\": \"1.0.1\",\n \"results\": [\n {\n \"positives\": 4,\n \"rulename\": \"Casing_Anomaly_ByPass\",\n \"tags\": [\n \"T1027\",\n \"SUSP\",\n \"CASING\"\n ],\n \"timestamp\": \"Tue, 11 Jun 2019 23:57:10 GMT\",\n \"total\": 58\n },\n {\n \"positives\": 4,\n \"rulename\": \"Casing_Anomaly_Convert_PS\",\n \"tags\": [\n \"T1027\",\n \"CASING\",\n \"SCRIPT\",\n \"T1064\"\n ],\n \"timestamp\": \"Tue, 11 Jun 2019 23:57:12 GMT\",\n \"total\": 58\n },\n {\n \"positives\": 4,\n \"rulename\": \"Casing_Anomaly_PowerShell\",\n \"tags\": [\n \"T1027\",\n \"CASING\",\n \"SCRIPT\",\n \"T1064\",\n \"T1086\"\n ],\n \"timestamp\": \"Tue, 11 Jun 2019 23:57:13 GMT\",\n \"total\": 58\n }\n ],\n \"status\": \"success\"\n}\n````\n\n## Rule Lookups\n\nRule lookups can be used to search the Valhalla database for a certain rule and their matches (premium feature). \n\n```bash\n./valhalla-cli -lr Casing_Anomaly_ByPass\n```\n\nIt will return a JSON structure. \n\n````json\n{\n \"author\": \"Florian Roth\",\n \"av_ratio\": 18.3,\n \"av_verdicts\": {\n \"clean\": 10,\n \"malicious\": 59,\n \"suspicious\": 52\n },\n \"date\": \"2019-01-17 11:50:21\",\n \"description\": \"Detects suspicious casing of bypass statement\",\n \"minimum_yara\": \"1.7\",\n \"name\": \"Casing_Anomaly_ByPass_RID2F47\",\n \"reference\": \"Internal Research\",\n \"required_modules\": [],\n \"rule_hash\": \"69b40d02020addf42cd12d3449933a3f\",\n \"rule_matches\": [\n {\n \"hash\": \"8a883a74702f83a273e6c292c672f1144fd1cce8ee126cd90c95131e870744af\",\n \"positives\": 4,\n \"size\": 5645,\n \"timestamp\": \"Tue, 11 Jun 2019 23:57:10 GMT\",\n \"total\": 58\n },\n {\n \"hash\": \"6999c997b09754fa100779af9d23a005c2a5b8944ee46175857e58e47626de65\",\n \"positives\": 11,\n \"size\": 1830,\n \"timestamp\": \"Tue, 11 Jun 2019 08:46:05 GMT\",\n \"total\": 58\n },\n ],\n \"score\": 60,\n \"tags\": [\n \"T1027\",\n \"SUSP\",\n \"CASING\"\n ]\n}\n````\n\nTo query sigma rules, add `-s`:\n\n```bash\n./valhalla-cli -s -lr 06d71506-7beb-4f22-8888-e2e5e2ca7fd8\n```\n\n# Scores\n\nThe following list explains the scores used in the rule set\n\n|Score|Type|Description|\n|-----|----|-----------|\n|1-39|Info|Low scoring rules used in our scanners (excluded from Valhalla, only used in our scanners)|\n|40-59|Noteworthy|Anomaly and threat hunting rules|\n|60-74|Suspicious|Rules for suspicious objects|\n|75-100|Alert|Hard malicious matches|\n\n# Important Notices\n\n- We constantly improve old rules. They may have changed the next time you fetch the rule set. Therefore it is recommended to always fetch a full set and replace older rules with their newer versions. \n- The full rule set contains YARA rules with scores lower than 60, which are meant for threat hunting and anomaly detection use cases. \n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnextronsystems%2Fvalhallaapi","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnextronsystems%2Fvalhallaapi","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnextronsystems%2Fvalhallaapi/lists"}