{"id":13509433,"url":"https://github.com/spyre-project/spyre","last_synced_at":"2025-04-04T07:03:58.838Z","repository":{"id":45129044,"uuid":"135199430","full_name":"spyre-project/spyre","owner":"spyre-project","description":"simple YARA-based IOC scanner","archived":false,"fork":false,"pushed_at":"2025-02-11T16:35:46.000Z","size":358,"stargazers_count":169,"open_issues_count":19,"forks_count":28,"subscribers_count":11,"default_branch":"master","last_synced_at":"2025-03-28T06:02:56.844Z","etag":null,"topics":["go","golang","hacktoberfest","incident-response","ioc","linux","macos","macosx","scanner","security","windows","yara","yara-scanner"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"lgpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/spyre-project.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":"AUTHORS.txt","dei":null,"publiccode":null,"codemeta":null},"funding":{"github":"hillu"}},"created_at":"2018-05-28T19:07:13.000Z","updated_at":"2025-03-12T19:35:12.000Z","dependencies_parsed_at":"2024-03-05T10:29:43.891Z","dependency_job_id":"ad0df393-9957-41e6-81e1-4a24b73159f9","html_url":"https://github.com/spyre-project/spyre","commit_stats":{"total_commits":216,"total_committers":6,"mean_commits":36.0,"dds":0.3055555555555556,"last_synced_commit":"a6e4a8fe342eb43f956b447330135a7f9e79f924"},"previous_names":["dcso/spyre"],"tags_count":13,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/spyre-project%2Fspyre","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/spyre-project%2Fspyre/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/spyre-project%2Fspyre/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/spyre-project%2Fspyre/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/spyre-project","download_url":"https://codeload.github.com/spyre-project/spyre/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247135108,"owners_count":20889419,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["go","golang","hacktoberfest","incident-response","ioc","linux","macos","macosx","scanner","security","windows","yara","yara-scanner"],"created_at":"2024-08-01T02:01:07.663Z","updated_at":"2025-04-04T07:03:58.815Z","avatar_url":"https://github.com/spyre-project.png","language":"Go","readme":"# Spyre\n\n![Build Status](https://github.com/spyre-project/spyre/actions/workflows/go.yml/badge.svg)\n\n**...a simple, self-contained modular host-based IOC scanner**\n\n_Spyre_ is a simple host-based IOC scanner built around the\n[YARA](https://github.com/VirusTotal/yara) pattern matching engine and\nother scan modules. The main goal of this project is easy\noperationalization of YARA rules and other indicators of compromise.\n\nUsers need to bring their own rule sets. The\n[awesome-yara](https://github.com/InQuest/awesome-yara) repository gives\na good overview of free yara rule sets out there.\n\n_Spyre_ is intended to be used as an investigation tool by incident\nresponders. It is **not** meant to evolve into any kind of endpoint\nprotection service.\n\n## Getting Started\n\nUsing _Spyre_ is easy:\n\n1. Add YARA signatures. In its default configuration, Spyre will read\n   YARA rules for file and process scanning from `filescan.yar` and\n   `procscan.yar`, respectively. The following options exist for\n   providing rules files to _Spyre_ (and will be tried in this order):\n    1. Add the rule files to a ZIP file and append that ZIP file to\n\t   the binary.\n    2. Add the rule files to a ZIP file whose base name is identical\n       to the scanner binary's base name, i.e. if the Spyre binary is\n       called `spyre` or `spyre.exe`, use `spyre.zip`.\n    3. Put the rule files and the scanner binary into the same\n       directory.\n\n   ZIP file contents may be encrypted using the password `infected`\n   (AV industry standard) to prevent antivirus software from scanning\n   the ruleset, classifying it as malicious content and preventing the\n   scan.\n\n   YARA rule files may contain `include` statements.\n2. Deploy, run the scanner\n3. Collect report and evidence\n\n## Configuration\n\nRun-time configuration is done via an optional file `spyre.yaml`.\n\nIf a ZIP file has been appended to the _Spyre_ binary, configuration\nand other files such as YARA rules are only read from this ZIP file.\nOtherwise, they are read from the directory into which the binary has\nbeen placed.\n\nSee the [example-configuration/](example-config/) subdirectory for\nan example.\n\n### Global configuration\n\n- `hostname` / command line switch `--set-hostname`: Explicitly set\n  the hostname that will be used in the log file and in the report.\n  This is usually not needed.\n- `max-file-size` / command line switch `--max-file-size`: Maximum\n  size for files to be scanned using expensive file scanning modules\n  such as YARA. Default: 32MB\n- `proc-ignore-names` / command line switch `--proc-ignore`: Names of\n  processes that will not be scanned using process memory scanning\n  modules.\n- `paths` / command line switch `--path`: Paths to be scanned using\n  file scanning modules. Default: `/` (Unix) or all fixed drives\n  (Windows).\n- `report` / comand line switch `--report`: Set one or more report\n  targets. Default: `spyre_${hostname}_${time}.log` in the current\n  working directory, using the plain format. A different output format\n  can be specified by appending `,format=FORMAT`.\n\n  The following formats are currently supported:\n  - `plain`, the default, a simple human-readable text format\n  - `tsjson`, a JSON document that can be imported into\n    [Timesketch](https://github.com/google/timesketch)\n\n  The `hostname` and `time` variables are only expanded in the target\n  filename.\n\n  **Note:** Configuration of report targets is likely to change in one\n  of the next releases.\n- `high-priority` / command line switch `--high-priority`: In its\n  default configuration (with this setting disabled), _Spyre_\n  instructs the OS scheduler to lower the priorities of CPU time and\n  I/O operations, in order to avoid disruption of normal system\n  operation.\n- command line switch `--loglevel=LEVEL`: Set the log level. Valid:\n  trace, debug, info, notice, warn, error, quiet.\n\n### Module-specific configuration\n\nThere are currently three areas for which scanning modules can be\nimplemented: System-level checks, file scans, and process scans.\n\nListed below are the currently implemented modules and supported\nconfiguration parameters.\n\n- `system`\n  - `eventobj` (Windows)\n\t- `iocs`\n  - `registry` (Windows)\n\t- `iocs`\n  - `winkernelobj` (Windows)\n    - `iocs`\n  - `findwindow` (Windows)\n    - `iocs`\n- `file`\n  - `yara`\n\t- `rule-files`\n\t- `fail-on-warnings`\n- `proc`\n  - `yara`\n\t- `rule-files`\n\t- `fail-on-warnings`\n\nPlease refer to the example configuration file `example-spyre.yaml`\nfor hints on how to describe indicators of compromise for each module.\n\n## Notes about YARA rules\n\nYARA is configured with default settings, plus the following explicit\nswitches (cf. `3rdparty.mk`):\n\n- `--disable-magic`\n- `--disable-cuckoo`\n- `--enable-dotnet`\n- `--enable-macho`\n- `--enable-dex`\n\nFor file scans, the following variables are defined:\n- `filename`,\n- `filepath`,\n- `extension`,\n- `filetype` (not currently populated while scanning)\n\nFor process scans, the variables `pid` and `executable` are defined.\n\nThe `spyre_collect_limit` metavariable can be used to limit the number\nof writes collected from matching files or to inhibit collecting files\naltogether. This can be useful to limit the size of evidence packages\nand to avoid collecting sensitive information.\n\n## Building\n\nSpyre can be built for 32bit and 64bit Linux and Windows targets.\n\n### Debian Buster (10.x) and later\n\nOn a Debian/buster system (or a chroot) in which the following packages\nhave been installed:\n\n- make\n- gcc\n- gcc-multilib\n- gcc-mingw-w64\n- autoconf\n- automake\n- libtool\n- pkg-config\n- wget\n- patch\n- sed\n- golang-_$VERSION_-go, e.g. golang-1.8-go. The Makefile will\n  automatically select the newest version unless `GOROOT` has been\n  set.\n- git-core\n- ca-certificates\n- zip\n\nThis describes the build environment that is exercised regularly via\nCI.\n\n### Fedora 30 and later\n\nThe same build has also been successfully tried on Fedora 30 with the\nfollowing packages installed:\n\n- make\n- gcc\n- mingw{32,64}-gcc\n- mingw{32,64}-winpthreads-static\n- autoconf\n- automake\n- libtool\n- pkgconf-pkg-config\n- wget\n- patch\n- sed\n- golang\n- git-core\n- ca-certificates\n- zip\n\nOnce everything has been installed, just type `make`. This should\ndownload archives for _musl-libc_, _openssl_, _yara_, build those and\nthen build _spyre_.\n\nThe bare _spyre_ binaries are created in `_build/\u003ctriplet\u003e/`.\n\nRunning `make release` creates a ZIP file that contains those binaries\nfor all supported architectures.\n\n### Generating binaries compatible with ancient Windows XP, Windows Server 2003\n\nCompatibility with these systems was removed with Go 1.11, so a Go\n1.10 toolchain is required. Since Go 1.10 does not support Go modules,\nthird-party Go dependencies have to be vendored: Use a newer Go\nversion do this (just run `go vendor`) and set `GOROOT` to point to\nthe Go 1.10 toolchain before running `make`.\n\n### MacOSX\n\nCurrently, cross-compiling is not supported.\n\n- GCC from Xcode\n- Build-dependencies from [Homebrew](https://brew.sh/):\n  - gnu-make\n  - autoconf\n  - automake\n  - libtool\n  - pkg-config\n  - wget\n  - gpatch\n  - gnu-sed\n  - gnu-tar\n  - go\n  - git\n  - ca-certificates\n  - zip\n\nThe system-supplied `make` is too old because Apple decided to be\nallergic to GPLv3. `gmake` from Homebrew works fine.\n\n## Coding\n\nSee [HACKING.md](HACKING.md)\n\n## Copyright\n\nCopyright 2018-2020 DCSO Deutsche Cyber-Sicherheitsorganisation GmbH\n\nCopyright 2020-2021 Spyre Project Authors (see: AUTHORS.txt)\n\n## License\n\nThis program is free software: you can redistribute it and/or modify\nit under the terms of the GNU Lesser General Public License as\npublished by the Free Software Foundation, either version 3 of the\nLicense, or (at your option) any later version.\n\nSee the LICENSE file for the full license text.\n","funding_links":["https://github.com/sponsors/hillu"],"categories":["IR Tools Collection","Go","Tools","windows","🔧 Packages"],"sub_categories":["Scanner Tools","⚡ Analyzing"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fspyre-project%2Fspyre","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fspyre-project%2Fspyre","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fspyre-project%2Fspyre/lists"}