Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/quark-engine/quark-rule-generate

Generating Detection Rules for Quark Engine !
https://github.com/quark-engine/quark-rule-generate

Last synced: 12 days ago
JSON representation

Generating Detection Rules for Quark Engine !

Host: GitHub
URL: https://github.com/quark-engine/quark-rule-generate
Owner: quark-engine
Created: 2020-11-20T07:31:37.000Z (almost 4 years ago)
Default Branch: master
Last Pushed: 2021-08-17T02:07:48.000Z (over 3 years ago)
Last Synced: 2023-10-20T22:43:13.182Z (about 1 year ago)
Language: Python
Homepage:
Size: 38.1 KB
Stars: 10
Watchers: 7
Forks: 5
Open Issues: 1
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

README

# Quark Engine Detection Rules Auto-Generation [![Python 3.8](https://img.shields.io/badge/python-3.8-blue.svg)](https://www.python.org/downloads/release/python-360/) [![License: GPL v3](https://img.shields.io/badge/License-GPLv3-blue.svg)](https://github.com/18z/quark-rules/blob/master/LICENSE)
![](https://i.imgur.com/bQo1p76.png)

### The Idea of Detection Rules Generation

1. We generate rules with native API used in the APK file.
So first, we will find each native API used in the APK.

2. We find and create all combinations of the native API pair (one rule).

3. We test every native API pair and see if those behavior got caught in the APK.

4. If we find 100% confidence for one behavior (one detection rule), we insert this rule into database.

### MongoDB Setup

We store and manage rules with MongoDB, so we need to setup database before generating detection rules for quark engine.

Here are three ways to install MongoDB.
1. Install with Docker
```bash
$ docker pull mongo:4.2
$ docker run -d -p 27017:27017 -v data/db --name mongodb \
-e MONGO_INITDB_ROOT_USERNAME=root \
-e MONGO_INITDB_ROOT_PASSWORD=pass \
mongo:4.2
```

2. Install to local environment
We provide a setup script to install database in your local environment.
```bash
$ sudo bash scripts/setup_db.sh
```

3. Or you can follow the MongoDB official installation [MongoDB Install](https://docs.mongodb.com/manual/installation/) to setup manually.

### Install Scripts for Rule Generation
```bash
$ git clone https://github.com/quark-engine/quark-rule-generate.git; cd quark-rule-generate/
$ pipenv install --skip-lock
$ pipenv shell
$ git submodule init
$ git submodule update --remote; cd quark-engine/
$ python setup.py install; cd ..
```

### Generate Detection Rules
A simple way to generate rules with an APK.
```bash
$ python start.py -a
```

However, the speed of generate progress will be very slow if the APK sample size is large, so we provide an option to generate rules with multiprocessing, here is the example.

> Be Aware it probably will cost a lots of memory.
```bash
$ python start.py -a --multiprocess 3 # Using three processes to work
```

### Export rules to JSON file
Since [Quark-Engine](https://github.com/quark-engine/quark-engine) is using JSON file to analyze APK, here is a way to export rules from database into JSON file.
```bash
$ python start.py -a --export
```

### See how it works!
[![asciicast](https://asciinema.org/a/374145.svg)](https://asciinema.org/a/374145)