Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

https://github.com/CERT-Polska/mquery

YARA malware query accelerator (web frontend)
https://github.com/CERT-Polska/mquery

database malware security-automation security-tools yara

Last synced: 3 months ago
JSON representation

YARA malware query accelerator (web frontend)

Host: GitHub
URL: https://github.com/CERT-Polska/mquery
Owner: CERT-Polska
License: agpl-3.0
Created: 2018-05-17T15:05:04.000Z (about 6 years ago)
Default Branch: master
Last Pushed: 2024-02-22T17:59:34.000Z (4 months ago)
Last Synced: 2024-02-22T19:32:40.722Z (4 months ago)
Topics: database, malware, security-automation, security-tools, yara
Language: Python
Homepage:
Size: 8.21 MB
Stars: 396
Watchers: 28
Forks: 75
Open Issues: 29
Metadata Files:
- Readme: README.md
- Contributing: CONTRIBUTING.md
- License: LICENSE
- Security: docs/security.md

Lists

awesome-yara - mquery
awesome-yara-Resource - mquery
awesome-rainmana - CERT-Polska/mquery - YARA malware query accelerator (web frontend) (Python)

README

        # mquery: Blazingly fast Yara queries for malware analysts

Ever had trouble searching for malware samples? Mquery is an

analyst-friendly web GUI to look through your digital warehouse.

It can be used to search through terabytes of malware in a blink of an eye:

![mquery web GUI](docs/interface-v1.4.gif)

Under the hood we use our [UrsaDB](https://github.com/CERT-Polska/ursadb), to

accelerate yara queries with ngrams.

## Demo

Public instance will be created soon, stay tuned...

## Quickstart

### 1. Install and start

The easiest way to do this is with `docker-compose`:

```

git clone --recurse-submodules https://github.com/CERT-Polska/mquery.git

cd mquery

vim .env  # optional - change samples and index directory locations

docker-compose up --scale daemon=3  # building the images will take a while

```

The web interface should be available at `http://localhost`.

![](./docs/recent-jobs.png)

*(For more installation options see the [installation manual](./INSTALL.md) ).*

### 2. Add the files

Put some files in the `SAMPLES_DIR` (by default `./samples` in the repository,

configurable with variable in the `.env` file).

### 3. Index your collection

Launch ursacli in docker:

```shell

sudo docker-compose exec ursadb ursacli

[2023-06-14 17:20:24.940] [info] Connecting to tcp://localhost:9281

[2023-06-14 17:20:24.942] [info] Connected to UrsaDB v1.5.1+98421d7 (connection id: 006B8B46B6)

ursadb>

```

Index the samples with n-grams of your choosing (this may take a while!)

```shell

ursadb> index "/mnt/samples" with [gram3, text4, wide8, hash4];

[2023-06-14 17:29:27.672] [info] Working... 1% (109 / 8218)

[2023-06-14 17:29:28.674] [info] Working... 1% (125 / 8218)

...

[2023-06-14 17:37:40.265] [info] Working... 99% (8217 / 8218)

[2023-06-14 17:37:41.266] [info] Working... 99% (8217 / 8218)

{

    "result": {

        "status": "ok"

    },

    "type": "ok"

}

```

This will scan samples directory for all new files and index them. You can

monitor the progress in the `tasks` window on the left:

![](./docs/indexing.png)

You have to repeat this process every time you want to add new files!

After indexing is over, you will notice new datasets:

![](./docs/indexed-datasets.png)

This is a good and easy way to start, but if you have a big collection you are

strongly encouraged to read [indexing page](./docs/indexing.md) in the manual. 

### 4. Test it

Now your files should be searchable - insert any Yara rule into the search

window and click `Query`. Just for demonstration, I've indexed the source code

of this application and tested this Yara rule:

```

rule mquery_exceptions {

    strings: $a = "Exception"

    condition: all of them

}

```

![](./docs/query-window.png)

## Learn more

See the [documentation](./docs/README.md) to learn more. Probably a good idea

if you plan a bigger deployment.

You can also read the hosted version here:

[cert-polska.github.io/mquery/docs](https://cert-polska.github.io/mquery/docs).

## Installation

See the

[installation instruction](./INSTALL.md).

## Contributing

If you want to contribute, see our dedicated

[documentation for contributors](./CONTRIBUTING.md).

## Changelog

Learn how the project has changed by reading our

[release log](./RELEASES.md).

## Contact

If you have any problems, bugs or feature requests related to mquery, you're

encouraged to create a GitHub issue.

You can chat about this project on Discord:

[![](https://dcbadge.vercel.app/api/server/3FcP6GQNzd)](https://discord.gg/3FcP6GQNzd)

If you have questions unsuitable for Github or discord, you can email CERT.PL

([email protected]) directly.