{"id":19999773,"url":"https://github.com/yara-rules/yara-endpoint","last_synced_at":"2025-09-06T06:33:25.195Z","repository":{"id":93712686,"uuid":"109496710","full_name":"Yara-Rules/yara-endpoint","owner":"Yara-Rules","description":"Yara-Endpoint is a tool useful for incident response as well as anti-malware enpoint base on Yara signatures.","archived":false,"fork":false,"pushed_at":"2018-03-13T22:15:23.000Z","size":3387,"stargazers_count":104,"open_issues_count":5,"forks_count":32,"subscribers_count":21,"default_branch":"master","last_synced_at":"2024-08-03T22:16:34.470Z","etag":null,"topics":["anti-malware","endpoint","incident-response","yara"],"latest_commit_sha":null,"homepage":"https://yararules.com","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Yara-Rules.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2017-11-04T13:26:21.000Z","updated_at":"2024-05-17T01:26:18.000Z","dependencies_parsed_at":"2023-03-17T05:45:45.348Z","dependency_job_id":null,"html_url":"https://github.com/Yara-Rules/yara-endpoint","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Yara-Rules%2Fyara-endpoint","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Yara-Rules%2Fyara-endpoint/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Yara-Rules%2Fyara-endpoint/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Yara-Rules%2Fyara-endpoint/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Yara-Rules","download_url":"https://codeload.github.com/Yara-Rules/yara-endpoint/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":224393837,"owners_count":17303725,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["anti-malware","endpoint","incident-response","yara"],"created_at":"2024-11-13T05:12:45.731Z","updated_at":"2024-11-13T05:12:46.233Z","avatar_url":"https://github.com/Yara-Rules.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"YARA-ENDPOINT\n=============\n\n:warning: **THIS PROJECT IS UNDER DEVELOPMENT. USE IT WITHOUT ANY WARRANTY.**\n\nYara as Endpoint is not just an enpoint solution for scanning files, Yara-Enpoint can be used as incident handler solution. While you are in the middle of an incident you have to know what is the scope of it in terms to act properly. You can do that by running your IoC manually against all your assets or using Yara-Endpoint and do it automatically and centralized.\n\n## How does it work?\nYara-Endpoint follows a client-server architecture so it is really easy to deploy. But getting deeper Yara-Endpoint has two componets `client` and `server`. Both the `server` as well as the `client` are a standalone binaries, no installation needed!. The `client` only needs a couple of flags that indicates where is the `server` and which port should be used. On the other hand, the `server` reads its configuration from a file, but basicaly it exposes two ports one for the comunitacion with the `clients` and other for a web management interface.\n\n## Main features\nYara-Endpoint offers an easy solution as either antivirus like endpoint or incident response tool. In both cases the installation and deploy is really easy, we have already taken care of it, because we know that deploying this kind of things is a pain in the ass.\n\nFor now we have implemented the following features:\n1. There is no need to register endpoint first, start using it and configure the endpoints later.\n1. Scan files, directories or PID.\n1. Tag Endpoints according your needs.\n1. Tag rules according your needs.\n1. Manage everything from a web UI.\n\n## Requirements\nWe do not have a lot of requiremets but some would be:\n1. Execute the `client` as Administrator or root, if you want a full scan from the client.\n1. A MongoDB database to store data on the server.\n\n## How to build the project\n### Using XGO\nWe have develop a Makefile that uses a [xgo](https://github.com/karalabe/xgo) to cross-compile Golang projects. Xgo is a Docker image with a full set of compilers and libraries already ready to cross compile. For example, it has gcc-mingw-w64, gcc-5-mips-linux-gnu, gcc-5-arm-linux-gnueabi, etc.\n\nUsing xgo project is really easy to cross compile any Golang project with C-like dependency since xgo cross compile the dependency and then cross compile statically your Golang project. This will generate a standalone binary with everything on it and ready to be executed on the target system.\n\nThe problem is that Yara does not use a standard Linux compilation way (configure \u0026\u0026 make \u0026\u0026 make install). Yara needs to run a bootstrap.sh before ./configure so xgo will fail. We have an [issue](https://github.com/karalabe/xgo/issues/105) for this matter.\n\nThe way that we solve this is modifying [xgo](https://github.com/Xumeiquer/xgo) project to run `bootstrap.sh` before `./configure`. The counterpart of using the modified version of xgo is that you have to build the docker image first.\n\nThe targets for the Makefile are:\n* linux\n* linux-x86\n* linux-x64\n* darwin\n* darwin-x86\n* darwin-x64\n* windows\n* windows-x86\n* windows-x64\n\n#### NOTE\nWe are unable to cross compile Yara-Endpoint for Linux targets using XGO. We are working on it, but for now you can compile Yara-Enpoint manually.\n\n### Manually\nOther way to get the binaries is compiling the project manually.\n\n* First of all you have to compile and install Yara. Please follow the intructions [here](https://github.com/VirusTotal/yara).\n* Seccond, you have to clone this repo o download it by running `go get github.com/Yara-Rules/yara-endpoint`.\n* Fourth, build the project it self by running `make local`. This will update the Go libraries before running the compile.\n\nThe final binary will be located in the build folder.\n\n## Installation\nThere is no need to install anything from Yara-Enpoint side as long as you meet the requirements.\n\n:warning:**REMEMBER**:warning:\n\nThis project is under heavy development and a lot of things can change before releasing a final o stable version.\n\n## Example of usage\n### Server\n```\n./yep-server\n{\"level\":\"info\",\"msg\":\"** Yara-Endpoint Server v0.1.0 **\",\"time\":\"2018-03-13T22:05:00+01:00\"}\n{\"level\":\"info\",\"msg\":\"Starting TCP Server\",\"time\":\"2018-03-13T22:05:00+01:00\"}\n{\"level\":\"info\",\"msg\":\"TCP Server started and listening on 0.0.0.0:8080\",\"time\":\"2018-03-13T22:05:00+01:00\"}\n{\"level\":\"info\",\"msg\":\"Starting WEB Server\",\"time\":\"2018-03-13T22:05:00+01:00\"}\n{\"level\":\"info\",\"msg\":\"WEB Server started and listening on localhost:8000\",\"time\":\"2018-03-13T22:05:00+01:00\"}\n[Macaron] listening on localhost:8000 (development)\n{\"level\":\"info\",\"msg\":\"Waiting for connections...\",\"time\":\"2018-03-13T22:05:00+01:00\"}\n\n[...]\n\n{\"level\":\"info\",\"msg\":\"[[::1]:65320] Processing Register command\",\"time\":\"2018-03-13T22:05:59+01:00\"}\n{\"level\":\"info\",\"msg\":\"[01C8GJY7ZJEZAFNE8XTXAA1NX6] Processing Ping command\",\"time\":\"2018-03-13T22:05:59+01:00\"}\n{\"level\":\"info\",\"msg\":\"[01C8GJY7ZJEZAFNE8XTXAA1NX6] Sending PONG due to no task assigned\",\"time\":\"2018-03-13T22:05:59+01:00\"}\n```\n\n### Client\n```\n./yep -server localhost -port 8080\n{\"level\":\"info\",\"msg\":\"*** Starting Yara-Endpint v0.1.0 ***\",\"time\":\"2018-03-13T22:05:59+01:00\"}\n{\"level\":\"info\",\"msg\":\"Checking whether endpoint is registered\",\"time\":\"2018-03-13T22:05:59+01:00\"}\n{\"level\":\"warning\",\"msg\":\"Configuration file not found.\",\"time\":\"2018-03-13T22:05:59+01:00\"}\n{\"level\":\"info\",\"msg\":\"Endpoint no registered. Registering...\",\"time\":\"2018-03-13T22:05:59+01:00\"}\n{\"level\":\"info\",\"msg\":\"Sending \\u003cRegister\\u003e command 1/3.\",\"time\":\"2018-03-13T22:05:59+01:00\"}\n{\"level\":\"info\",\"msg\":\"Endpoint registered with ULID: 01C8GJY7ZJEZAFNE8XTXAA1NX6\",\"time\":\"2018-03-13T22:05:59+01:00\"}\n{\"level\":\"info\",\"msg\":\"Endpoint got registered with ID: 01C8GJY7ZJEZAFNE8XTXAA1NX6\",\"time\":\"2018-03-13T22:05:59+01:00\"}\n{\"level\":\"info\",\"msg\":\"Saving configuration to yara-endpoint.ini\",\"time\":\"2018-03-13T22:05:59+01:00\"}\n{\"level\":\"info\",\"msg\":\"Sending PING command\",\"time\":\"2018-03-13T22:05:59+01:00\"}\n```\n\n## Contributing\nThere are several ways to contribute to this project, the easy one will be by summting issues, but you can also do a pull request.\n\nFor a complete detail how to contribute please read [CONTRIBUTING.md](CONTRIBUTING.md).\n\n## License\n```\nCopyright 2018 \u003cJaume Martin\u003e \u003cMarcos Sanchez\u003e\n\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n\n    http://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and\nlimitations under the License.\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fyara-rules%2Fyara-endpoint","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fyara-rules%2Fyara-endpoint","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fyara-rules%2Fyara-endpoint/lists"}