deepfence / yarahunter Goto Github PK

View Code? Open in Web Editor NEW

1.2K 15.0 152.0 12.62 MB

🔍🔍 Malware scanner for cloud-native, as part of CI/CD and at Runtime 🔍🔍

Home Page: https://deepfence.io/

License: Apache License 2.0

Dockerfile 3.55% Makefile 0.51% Shell 0.13% Go 95.53% HTML 0.28%

devsecops devsecops-best-practices devsecops-pipeline ioc malware threat-hunting yara yara-scanner ci-cd hacktoberfest

yarahunter's Introduction

YaraHunter

Deepfence YaraHunter scans container images, running Docker containers, and filesystems to find indicators of malware. It uses a YARA ruleset to identify resources that match known malware signatures, and may indicate that the container or filesystem has been compromised.

YaraHunter can be used in the following ways:

At build-and-test: scan build artifacts in the CI/CD pipeline, reporting on possible indicators of malware
At rest: scan local container images, for example, before they are deployed, to verify they do not contain malware
At runtime: scan running docker containers, for example, if you observe unusual network traffic or CPU activity
Against filesystems: at any time, YaraHunter can scan a local filesystems for indicators of compromise

Key capabilities:

Scan running and at-rest containers; scan filesystems; scan during CI/CD build operations
Run anywhere: highly-portable, docker container form factor
Designed for automation: easy-to-deploy, easy-to-parse JSON output

YaraHunter is a work-in-progress (check the Roadmap and issues list), and will be integrated into the ThreatMapper threat discovery platform. We welcome any contributions to help to improve this tool.

Quick Start

For full instructions, refer to the YaraHunter Documentation.

Example: Finding Indicators of Compromise in a container image

Images may be compromised with the installation of a cryptominer such as XMRig. In the following example, we'll scan a legitimiate cryptominer image that contains the same xmrig software that is often installed through an exploit:

Pull the official yarahunter image:

docker pull quay.io/deepfenceio/deepfence_malware_scanner_ce:2.2.0

or Build it from source clone this repo and run below command

make docker

Pull the image that needs to be scanned for example metal3d/xmrig and scan it:

docker pull metal3d/xmrig

docker run -i --rm --name=deepfence-yarahunter \
     -v /var/run/docker.sock:/var/run/docker.sock \
     -v /tmp:/home/deepfence/output \
     quay.io/deepfenceio/deepfence_malware_scanner_ce:2.2.0 \
     --image-name metal3d/xmrig:latest \
     --output=json > xmrig-scan.json

This returns, among other things, clear indication of the presence of XMRig. Note that we store the output (xmrig-scan.json) for quick and easy manipulation:

# Extract the IOC array values.  From these, extract the values of the 'Matched Rule Name' key
cat /tmp/xmrig-scan.json | jq '.IOC[] | ."Matched Rule Name"'

This returns a list of the IOCs identified in the container we scanned.

To get table formatted output omit --output=json flag

Get in touch

Thank you for using YaraHunter.

Start with the documentation
Got a question, need some help? Find the Deepfence team on Slack
Got a feature request or found a bug? Raise an issue
productsecurity at deepfence dot io: Found a security issue? Share it in confidence
Find out more at deepfence.io

Security and Support

For any security-related issues in the YaraHunter project, contact productsecurity at deepfence dot io.

Please file GitHub issues as needed, and join the Deepfence Community Slack channel.

License

The Deepfence YaraHunter project (this repository) is offered under the Apache2 license.

Contributions to Deepfence YaraHunter project are similarly accepted under the Apache2 license, as per GitHub's inbound=outbound policy.

Disclaimer

This tool is not meant to be used for hacking. Please use it only for legitimate purposes like detecting indicator of compromise on the infrastructure you own, not on others' infrastructure. DEEPFENCE shall not be liable for loss of profit, loss of business, other financial loss, or any other loss or damage which may be caused, directly or indirectly, by the inadequacy of YaraHunter for any purpose or use thereof or by any defect or deficiency therein.

yarahunter's People

Contributors

Stargazers

Watchers

Forkers

ogarrett 5l1v3r1 rahulsurwade08 pombredanne syedsalman3753 qemm pranav767 datnt53 abin2024 saksharora prashant7454 jigarvyasidea abbansal235 prayag2002 pradhuman26 aman18003 gulkhan799 harshit1agarwal kushpatel2106 tushar99coder priyatiwari72 ayushnirmal16 rohit1443 manojkumarmk123 shubhgarg15 shoubik08 sukhvendra-tak pradeep9057 ayushpant007 ritikbhati22 harshit0421 dishant7792 y-47 punitydv98 siddarthsuhane vsharma12345 prajapatdhawal praksh1924 prernadadhich19 sourav092002 sanjeeveejayabalan layzhi iq-scm artart788 orange-777 nawabsahab16 ethicalsecurity-agency vedantkolhe30 zbraiterman shoaibxaif amanbairagi30 shashwat79802 knighthawk-leo miarkable shanks2121 ishukrpathak kavyaswarnkar harshnow sitanshulall manas234543 shrutiiihere ranjit7858 theayushgaur txtgrey yash-sakre bhumika987 prabhakarjha04 prateekmahant6 raghavbharani mohdadnan786 jayashtripathy adavadkardhruv13 carrycooldude amit7nayak piyushsahu1 bhaveshyadav1501 asmikhare singhrishabh93 divyaa0325 dhruv-5319 manas031201 shivani8702 apoorvatiwari26 ahwhantiwari rashiiiiii shubhrad30 aishwaryyyaaaaa soniogar hemanitekwani giteshsarvaiya amanjsr12 shekharkushwaha01 avanindrasingh007 gaurishankarpatel muskan-tiwari31 arshmandal0725 abhikashyap135 hitoutvrma amaan1305 aditya-kumar-sahu

yarahunter's Issues

Multiple Critical CVE's in Go and other image dependencies

When uploading the latest YaraHunter image to Google Cloud Artifact Registry, the container scanning feature reports many critical and high value CVEs.

I would like to know if it would be possible to upgrade Go and any other dependencies that contain critical or high scoring CVEs.

Table of fixable high/critical Go CVE's:

Name Effective severity VEX status Package Package type
CVE-2023-29405 Critical Unspecified go Go stdlib View fix
CVE-2023-24540 Critical Unspecified go Go stdlib View fix
CVE-2023-24538 Critical Unspecified go Go stdlib View fix
CVE-2023-29402 Critical Unspecified go Go stdlib View fix
CVE-2023-39320 Critical Unspecified go Go stdlib View fix
CVE-2022-23806 Critical Unspecified go Go stdlib View fix
CVE-2023-29404 Critical Unspecified go Go stdlib View fix
CVE-2021-38297 Critical Unspecified go Go stdlib View fix
CVE-2022-24675 High Unspecified go Go stdlib View fix
CVE-2022-41723 High Unspecified go Go stdlib View fix
CVE-2022-30633 High Unspecified go Go stdlib View fix
CVE-2021-39293 High Unspecified go Go stdlib View fix
CVE-2022-2880 High Unspecified go Go stdlib View fix
CVE-2022-41715 High Unspecified go Go stdlib View fix
CVE-2022-24921 High Unspecified go Go stdlib View fix
CVE-2022-30580 High Unspecified go Go stdlib View fix
CVE-2022-30632 High Unspecified go Go stdlib View fix
CVE-2023-24534 High Unspecified go Go stdlib View fix
CVE-2022-41724 High Unspecified go Go stdlib View fix
CVE-2021-33198 High Unspecified go Go stdlib View fix
CVE-2021-33195 High Unspecified go Go stdlib View fix
CVE-2023-24536 High Unspecified go Go stdlib View fix
CVE-2023-29400 High Unspecified go Go stdlib View fix
CVE-2022-23773 High Unspecified go Go stdlib View fix
CVE-2023-39322 High Unspecified go Go stdlib View fix
CVE-2022-30635 High Unspecified go Go stdlib View fix
CVE-2021-41771 High Unspecified go Go stdlib View fix
CVE-2021-33196 High Unspecified go Go stdlib View fix
CVE-2022-30631 High Unspecified go Go stdlib View fix
CVE-2023-29403 High Unspecified go Go stdlib View fix
CVE-2022-32189 High Unspecified go Go stdlib View fix
CVE-2021-41772 High Unspecified go Go stdlib View fix
CVE-2023-24537 High Unspecified go Go stdlib View fix
CVE-2022-41725 High Unspecified go Go stdlib View fix
CVE-2023-39533 High Unspecified go Go stdlib View fix
CVE-2022-28131 High Unspecified go Go stdlib View fix
CVE-2022-30630 High Unspecified go Go stdlib View fix
CVE-2022-28327 High Unspecified go Go stdlib View fix
CVE-2023-24539 High Unspecified go Go stdlib View fix
CVE-2023-39321 High Unspecified go Go stdlib View fix
CVE-2022-27664 High Unspecified go Go stdlib View fix
CVE-2022-23772 High Unspecified go Go stdlib View fix
CVE-2022-2879 High Unspecified go Go stdlib View fix
CVE-2021-29923 High Unspecified go Go stdlib View fix
CVE-2021-44716 High Unspecified go Go stdlib View fix

Other fixable high severity CVE's:
Name Effective severity CVSS Fix available VEX status Package Package type
CVE-2023-30861 High 7.5 Yes Unspecified flask Python View fix
CVE-2023-2253 High 6.5 Yes Unspecified github.com/docker/distribution Go View fix

Please advise on the possibilities of this? Updating it would prevent the need for building a custom image or forking the repo, which would be great to prevent, if possible.

add CLI support for YaraHunter

example

YaraHunter init  - fetch and update yararules 
YaraHunter scan <container-name>. - scan container images 
YaraHunter init server - run YaraHunter as server

Docker :latest image is out of date. Building Yarahunter fails

The image was last pushed 7 months ago:
https://hub.docker.com/r/deepfenceio/yara-hunter

When trying to build the image either using the main branch or the recent release tagged v2.0.0 - the build fails:

[+] Building 14.6s (15/21)                                                                                                                                                                                             docker:desktop-linux
 => [internal] load build definition from Dockerfile                                                                                                                                                                                   0.0s
 => => transferring dockerfile: 2.45kB                                                                                                                                                                                                 0.0s
 => [internal] load .dockerignore                                                                                                                                                                                                      0.0s
 => => transferring context: 2B                                                                                                                                                                                                        0.0s
 => [internal] load metadata for docker.io/library/debian:bullseye                                                                                                                                                                     2.1s
 => [internal] load metadata for docker.io/library/golang:1.20-alpine3.18                                                                                                                                                              2.1s
 => [builder 1/7] FROM docker.io/library/golang:1.20-alpine3.18@sha256:c63dbdb3cca37abbee4c50f61e34b1d043c2669d03f34485f9ee6fe5feed4e48                                                                                                0.0s
 => [stage-1 1/9] FROM docker.io/library/debian:bullseye@sha256:f33900927c0a8bcf3f0e2281fd0237f4780cc6bc59729bb3a10e75b0703c5ca7                                                                                                       0.0s
 => [internal] load build context                                                                                                                                                                                                      0.0s
 => => transferring context: 13.07kB                                                                                                                                                                                                   0.0s
 => CACHED [stage-1 2/9] RUN apt-get update && apt-get -qq -y --no-install-recommends install libjansson4 libssl1.1 libmagic1 libstdc++6 jq bash skopeo curl ca-certificates     && nerdctl_version=1.4.0     && curl -fsSLOk https:/  0.0s
 => CACHED [stage-1 3/9] WORKDIR /home/deepfence/usr                                                                                                                                                                                   0.0s
 => CACHED [builder 2/7] RUN apk add --no-cache     git     make      build-base     pkgconfig     libpcap-dev     libcap-dev     openssl-dev     file     jansson-dev     jansson-static     bison     tini     su-exec               0.0s
 => CACHED [builder 3/7] RUN apk add --no-cache -t .build-deps py-setuptools     openssl-libs-static     jansson-dev     build-base     libc-dev     file-dev     automake     autoconf     libtool     libcrypto3     flex     git    0.0s
 => CACHED [builder 4/7] RUN cd /root && wget https://github.com/VirusTotal/yara/archive/refs/tags/v4.3.2.tar.gz     && tar -zxf v4.3.2.tar.gz     && cd yara-4.3.2     && ./bootstrap.sh     && ./configure --prefix=/usr/local/yara  0.0s
 => CACHED [builder 5/7] WORKDIR /home/deepfence/src/YaraHunter                                                                                                                                                                        0.0s
 => CACHED [builder 6/7] COPY . .                                                                                                                                                                                                      0.0s
 => ERROR [builder 7/7] RUN make clean     && make all     && cd /home/deepfence     && git clone https://github.com/deepfence/yara-rules                                                                                             12.5s
------
 > [builder 7/7] RUN make clean     && make all     && cd /home/deepfence     && git clone https://github.com/deepfence/yara-rules:
0.133 rm ./YaraHunter
0.134 rm: can't remove './YaraHunter': No such file or directory
0.135 make: [Makefile:7: clean] Error 1 (ignored)
0.136 go mod tidy -v
0.164 go: downloading gopkg.in/yaml.v3 v3.0.1
0.173 go: downloading github.com/sirupsen/logrus v1.9.3
0.190 go: downloading github.com/deepfence/golang_deepfence_sdk/client v0.0.0-20230630084500-8fb0280d6010
0.373 go: downloading github.com/deepfence/golang_deepfence_sdk/utils v0.0.0-20230630084500-8fb0280d6010
0.407 go: downloading github.com/olekukonko/tablewriter v0.0.5
0.483 go: downloading github.com/fatih/color v1.15.0
0.499 go: downloading github.com/deepfence/vessel v0.11.1
0.528 go: downloading github.com/hillu/go-yara/v4 v4.3.2
0.539 go: downloading github.com/Jeffail/tunny v0.1.4
0.563 go: downloading google.golang.org/grpc v1.56.1
0.660 go: downloading golang.org/x/sys v0.7.0
2.594 go: downloading github.com/hashicorp/go-retryablehttp v0.7.4
2.595 go: downloading github.com/mattn/go-runewidth v0.0.9
2.644 go: downloading github.com/mattn/go-colorable v0.1.13
2.647 go: downloading github.com/mattn/go-isatty v0.0.17
2.648 go: downloading github.com/containerd/containerd v1.7.2
2.679 go: downloading github.com/docker/docker v24.0.2+incompatible
3.398 go: downloading github.com/pkg/errors v0.9.1
3.466 go: downloading golang.org/x/net v0.9.0
3.721 go: downloading github.com/golang/protobuf v1.5.3
3.984 go: downloading github.com/google/go-cmp v0.5.9
4.060 go: downloading github.com/hashicorp/go-cleanhttp v0.5.2
4.061 go: downloading github.com/containerd/ttrpc v1.2.2
4.086 go: downloading github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20221215162035-5330a85ea652
4.106 go: downloading github.com/containerd/fifo v1.1.0
4.115 go: downloading github.com/containerd/typeurl/v2 v2.1.1
4.135 go: downloading github.com/moby/sys/signal v0.7.0
4.142 go: downloading github.com/opencontainers/go-digest v1.0.0
4.147 go: downloading github.com/opencontainers/image-spec v1.1.0-rc2.0.20221005185240-3a7f492d3f1b
4.176 go: downloading github.com/opencontainers/runtime-spec v1.1.0-rc.1
4.211 go: downloading github.com/opencontainers/selinux v1.11.0
4.211 go: downloading golang.org/x/sync v0.1.0
4.211 go: downloading google.golang.org/protobuf v1.30.0
4.247 go: downloading github.com/containerd/continuity v0.4.1
4.256 go: downloading github.com/opencontainers/runc v1.1.5
4.505 go: downloading google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1
4.624 go: downloading github.com/Microsoft/hcsshim v0.10.0-rc.8
5.402 go: downloading github.com/moby/sys/sequential v0.5.0
5.555 go: downloading github.com/klauspost/compress v1.16.0
5.981 go: downloading github.com/Microsoft/go-winio v0.6.1
5.982 go: downloading github.com/moby/sys/mountinfo v0.6.2
6.035 go: downloading github.com/AdaLogics/go-fuzz-headers v0.0.0-20230106234847-43070de90fa1
6.037 go: downloading github.com/moby/locker v1.0.1
6.038 go: downloading github.com/google/uuid v1.3.0
6.063 go: downloading go.opentelemetry.io/otel v1.14.0
6.199 go: downloading go.opentelemetry.io/otel/trace v1.14.0
6.203 go: downloading github.com/gogo/protobuf v1.3.2
6.228 go: downloading github.com/docker/go-connections v0.4.0
6.533 go: downloading github.com/docker/go-units v0.5.0
6.600 go: downloading github.com/docker/distribution v2.8.1+incompatible
6.724 go: downloading golang.org/x/text v0.9.0
8.390 go: downloading golang.org/x/tools v0.7.0
8.390 go: downloading github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c
8.390 go: downloading github.com/cyphar/filepath-securejoin v0.2.3
8.432 go: downloading github.com/go-logr/logr v1.2.3
8.432 go: downloading github.com/go-logr/stdr v1.2.2
8.825 go: downloading go.opencensus.io v0.24.0
8.892 go: downloading github.com/containerd/cgroups v1.1.0
8.966 go: downloading github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da
9.117 go: downloading golang.org/x/mod v0.9.0
12.22 github.com/deepfence/YaraHunter/pkg/output imports
12.22 	github.com/deepfence/agent-plugins-grpc/srcgo: github.com/deepfence/[email protected] (replaced by ./agent-plugins-grpc): reading agent-plugins-grpc/go.mod: open /home/deepfence/src/YaraHunter/agent-plugins-grpc/go.mod: no such file or directory
12.22 github.com/deepfence/YaraHunter imports
12.22 	github.com/sirupsen/logrus tested by
12.22 	github.com/sirupsen/logrus.test imports
12.22 	github.com/stretchr/testify/assert: github.com/deepfence/[email protected] (replaced by ./agent-plugins-grpc): reading agent-plugins-grpc/go.mod: open /home/deepfence/src/YaraHunter/agent-plugins-grpc/go.mod: no such file or directory
12.22 github.com/deepfence/YaraHunter imports
12.22 	github.com/sirupsen/logrus tested by
12.22 	github.com/sirupsen/logrus.test imports
12.22 	github.com/stretchr/testify/require: github.com/deepfence/[email protected] (replaced by ./agent-plugins-grpc): reading agent-plugins-grpc/go.mod: open /home/deepfence/src/YaraHunter/agent-plugins-grpc/go.mod: no such file or directory
12.22 github.com/deepfence/YaraHunter/pkg/config imports
12.22 	gopkg.in/yaml.v3 tested by
12.22 	gopkg.in/yaml.v3.test imports
12.22 	gopkg.in/check.v1: github.com/deepfence/[email protected] (replaced by ./agent-plugins-grpc): reading agent-plugins-grpc/go.mod: open /home/deepfence/src/YaraHunter/agent-plugins-grpc/go.mod: no such file or directory
12.22 github.com/deepfence/YaraHunter/pkg/output imports
12.22 	github.com/deepfence/golang_deepfence_sdk/utils/http imports
12.22 	github.com/hashicorp/go-retryablehttp tested by
12.22 	github.com/hashicorp/go-retryablehttp.test imports
12.22 	github.com/hashicorp/go-hclog: github.com/deepfence/[email protected] (replaced by ./agent-plugins-grpc): reading agent-plugins-grpc/go.mod: open /home/deepfence/src/YaraHunter/agent-plugins-grpc/go.mod: no such file or directory
12.22 github.com/deepfence/YaraHunter/pkg/scan imports
12.22 	github.com/deepfence/vessel imports
12.22 	github.com/docker/docker/client tested by
12.22 	github.com/docker/docker/client.test imports
12.22 	gotest.tools/v3/assert: github.com/deepfence/[email protected] (replaced by ./agent-plugins-grpc): reading agent-plugins-grpc/go.mod: open /home/deepfence/src/YaraHunter/agent-plugins-grpc/go.mod: no such file or directory
12.22 github.com/deepfence/YaraHunter/pkg/scan imports
12.22 	github.com/deepfence/vessel imports
12.22 	github.com/docker/docker/client tested by
12.22 	github.com/docker/docker/client.test imports
12.22 	gotest.tools/v3/assert/cmp: github.com/deepfence/[email protected] (replaced by ./agent-plugins-grpc): reading agent-plugins-grpc/go.mod: open /home/deepfence/src/YaraHunter/agent-plugins-grpc/go.mod: no such file or directory
12.22 github.com/deepfence/YaraHunter/pkg/scan imports
12.22 	github.com/deepfence/vessel imports
12.22 	github.com/docker/docker/client tested by
12.22 	github.com/docker/docker/client.test imports
12.22 	gotest.tools/v3/env: github.com/deepfence/[email protected] (replaced by ./agent-plugins-grpc): reading agent-plugins-grpc/go.mod: open /home/deepfence/src/YaraHunter/agent-plugins-grpc/go.mod: no such file or directory
12.22 github.com/deepfence/YaraHunter/pkg/scan imports
12.22 	github.com/deepfence/vessel imports
12.22 	github.com/docker/docker/client tested by
12.22 	github.com/docker/docker/client.test imports
12.22 	gotest.tools/v3/skip: github.com/deepfence/[email protected] (replaced by ./agent-plugins-grpc): reading agent-plugins-grpc/go.mod: open /home/deepfence/src/YaraHunter/agent-plugins-grpc/go.mod: no such file or directory
12.22 github.com/deepfence/YaraHunter/pkg/scan imports
12.22 	github.com/deepfence/vessel imports
12.22 	github.com/containerd/containerd/namespaces imports
12.22 	github.com/containerd/ttrpc tested by
12.22 	github.com/containerd/ttrpc.test imports
12.22 	github.com/prometheus/procfs: github.com/deepfence/[email protected] (replaced by ./agent-plugins-grpc): reading agent-plugins-grpc/go.mod: open /home/deepfence/src/YaraHunter/agent-plugins-grpc/go.mod: no such file or directory
12.22 github.com/deepfence/YaraHunter/pkg/scan imports
12.22 	github.com/deepfence/vessel imports
12.22 	github.com/containerd/containerd imports
12.22 	github.com/containerd/containerd/tracing imports
12.22 	go.opentelemetry.io/otel tested by
12.22 	go.opentelemetry.io/otel.test imports
12.22 	github.com/stretchr/testify/suite: github.com/deepfence/[email protected] (replaced by ./agent-plugins-grpc): reading agent-plugins-grpc/go.mod: open /home/deepfence/src/YaraHunter/agent-plugins-grpc/go.mod: no such file or directory
12.22 github.com/deepfence/YaraHunter/pkg/scan imports
12.22 	github.com/deepfence/vessel imports
12.22 	github.com/docker/docker/client tested by
12.22 	github.com/docker/docker/client.test imports
12.22 	github.com/docker/docker/api/server/httputils imports
12.22 	github.com/docker/docker/pkg/jsonmessage imports
12.22 	github.com/moby/term: github.com/deepfence/[email protected] (replaced by ./agent-plugins-grpc): reading agent-plugins-grpc/go.mod: open /home/deepfence/src/YaraHunter/agent-plugins-grpc/go.mod: no such file or directory
12.22 github.com/deepfence/YaraHunter/pkg/scan imports
12.22 	github.com/deepfence/vessel imports
12.22 	github.com/docker/docker/client tested by
12.22 	github.com/docker/docker/client.test imports
12.22 	github.com/docker/docker/api/server/httputils imports
12.22 	github.com/docker/docker/pkg/jsonmessage imports
12.22 	github.com/morikuni/aec: github.com/deepfence/[email protected] (replaced by ./agent-plugins-grpc): reading agent-plugins-grpc/go.mod: open /home/deepfence/src/YaraHunter/agent-plugins-grpc/go.mod: no such file or directory
12.22 github.com/deepfence/YaraHunter/pkg/scan imports
12.22 	github.com/deepfence/vessel imports
12.22 	github.com/docker/docker/client tested by
12.22 	github.com/docker/docker/client.test imports
12.22 	github.com/docker/docker/api/server/httputils imports
12.22 	github.com/docker/docker/api/types/backend imports
12.22 	github.com/docker/docker/pkg/streamformatter imports
12.22 	github.com/docker/docker/pkg/progress imports
12.22 	golang.org/x/time/rate: github.com/deepfence/[email protected] (replaced by ./agent-plugins-grpc): reading agent-plugins-grpc/go.mod: open /home/deepfence/src/YaraHunter/agent-plugins-grpc/go.mod: no such file or directory
12.22 make: *** [Makefile:10: vendor] Error 1
------
Dockerfile:45
--------------------
  44 |     COPY . .
  45 | >>> RUN make clean \
  46 | >>>     && make all \
  47 | >>>     && cd /home/deepfence \
  48 | >>>     && git clone https://github.com/deepfence/yara-rules
  49 |
--------------------
ERROR: failed to solve: process "/bin/sh -c make clean     && make all     && cd /home/deepfence     && git clone https://github.com/deepfence/yara-rules" did not complete successfully: exit code: 2```

Scan running processes as well as running container filesystem

It's common for malware installed through a runtime compromise to delete itself from the filesystem once the malware process has started, to make detection of the malware difficult. Filesystem scans will not find the malware.

For example, a Wordpress honeypot container attracted a crypto miner which was installed in /var/www/html/wp-content/themes/twentytwentyone/xmra64, started as pid 8823, and then deleted:

$ sudo cat /proc/8823/maps
00400000-00401000 r--p 00000000 fc:01 1303258                            /var/www/html/wp-content/themes/twentytwentyone/xmra64 (deleted)
00401000-0065b000 r-xp 00001000 fc:01 1303258                            /var/www/html/wp-content/themes/twentytwentyone/xmra64 (deleted)
0065b000-006de000 r--p 0025b000 fc:01 1303258                            /var/www/html/wp-content/themes/twentytwentyone/xmra64 (deleted)
006de000-006ec000 rw-p 002dd000 fc:01 1303258                            /var/www/html/wp-content/themes/twentytwentyone/xmra64 (deleted)

YaRadare scans of the container filesystem did not detect anything untoward.

The running application binary was captured and scanned as follows:

$ sudo cat /proc/8823/map_files/400000-401000 > /tmp/xmra64/a.out.1
$ sudo cat /proc/8823/map_files/401000-65b000 > /tmp/xmra64/a.out.2
$ sudo cat /proc/8823/map_files/65b000-6de000 > /tmp/xmra64/a.out.3
$ sudo cat /proc/8823/map_files/6de000-6ec000 > /tmp/xmra64/a.out.4
$ docker run -it --rm -v /tmp/xmra64:/tmp/xmra64 oweng/deepfence-yaradare:latest --local /tmp/xmra64

YaRadare scans of these files identified the crypto miner:

    {
      "Matched Rule Name": "XMRIG_Miner",
      "Strings to match are":
            "stratum+tcp",
      "Category": [],
      "File Name": "/tmp/xmra64/a.out.1",
      "ref": https://gist.github.com/GelosSnake/c2d4d6ef6f93ccb7d3afb5b1e26c7b4e
      "Summary": The matched rule file's  ref  is https://gist.github.com/GelosSnake/c2d4d6ef6f93ccb7d3afb5b1e26c7b4e .,
    }
    {
      "Matched Rule Name": "XMRIG_Miner",
      "Strings to match are":
            "stratum+tcp",
      "Category": [],
      "File Name": "/tmp/xmra64/a.out.2",
      "ref": https://gist.github.com/GelosSnake/c2d4d6ef6f93ccb7d3afb5b1e26c7b4e
      "Summary": The matched rule file's  ref  is https://gist.github.com/GelosSnake/c2d4d6ef6f93ccb7d3afb5b1e26c7b4e .,
    }
    {
      "Matched Rule Name": "XMRIG_Miner",
      "Strings to match are":
            "stratum+tcp",
      "Category": [],
      "File Name": "/tmp/xmra64/a.out.3",
      "ref": https://gist.github.com/GelosSnake/c2d4d6ef6f93ccb7d3afb5b1e26c7b4e
      "Summary": The matched rule file's  ref  is https://gist.github.com/GelosSnake/c2d4d6ef6f93ccb7d3afb5b1e26c7b4e .,
    }
    {
      "Matched Rule Name": "XMRIG_Miner",
      "Strings to match are":
            "stratum+tcp",
      "Category": [],
      "File Name": "/tmp/xmra64/a.out.4",
      "ref": https://gist.github.com/GelosSnake/c2d4d6ef6f93ccb7d3afb5b1e26c7b4e
      "Summary": The matched rule file's  ref  is https://gist.github.com/GelosSnake/c2d4d6ef6f93ccb7d3afb5b1e26c7b4e .,
    }

Test and document standalone build

Not all users will want to run IOCScanner from within a docker container.

We should test and document the process for a standalone build; something like:

GOROOT=/usr/local/go go build -v -I

... and how to run the resulting binary, including providing configuration and signature files.

Json output can no longer be stored in file

Hi!

Since release v2.0.0 (see commit) Json output can no longer be stored in output file. However, the opposite is specified in the documentation: Readme.md and docs/docs/yarahunter/configure/output.md :

docker run -it --rm --name=deepfence-yarahunter \
     -v /var/run/docker.sock:/var/run/docker.sock \
     -v /tmp:/home/deepfence/output \
     deepfenceio/yara-hunter:latest --image-name metal3d/xmrig:latest \
     --json-filename=xmrig-scan.json

With yara-hunter v2.0.0: I have this error when I specified flag --json-filename:

docker run -it --rm --name=yara-hunter -v /var/run/docker.sock:/var/run/docker.sock -v /tmp:/home/deepfence/output deepfenceio/yara-hunter:latest --image-name docker.io/library/debian:buster-20230725-slim --json-filename=scan.json
flag provided but not defined: -json-filename
Usage of /home/deepfence/usr/YaraHunter:
-config-path string
[...]

Message flag provided but not defined: -json-filename is caused by removing of flag --json-filename in this commit: 48571c7.

Question is:

The expected behavior is: no more json output file with flags --json-filename and output-path ?

If "Yes", I can do MR to update the documentation.
If not, I can also do MR to fix this behavior and generate a json output file thanks to flag --output=json

I will be happy to contribute, and I just want to be sure to respect the vision of previous contributors, about this topic.

The current flag --output=json can be used to generate json output file, like this:

docker run -it --rm --name=yara-hunter \
-v /var/run/docker.sock:/var/run/docker.sock \
deepfenceio/yara-hunter:latest \
--image-name docker.io/library/debian:buster-20230725-slim \
--output=json > scan.json

But the problem is that there are also logs info in this file:

>head -20 scan.json
INFO[2023-09-29T15:52:27Z] updater.go:80 rule file exists: /home/deepfence/usr/threatintel-yara-rules-2023-09-29_01-26-52.tar.gz
INFO[2023-09-29T15:52:27Z] yara.go:71 including yara rule file /home/deepfence/usr/malware.yar
WARN[2023-09-29T15:52:27Z] yara.go:91 YARA compiler warning in %s ruleset: %s:%d %sfile/home/deepfence/usr/malware.yar18526expression always false - requesting 5 of 3.
INFO[2023-09-29T15:52:27Z] runner.go:73 Scanning image %s for IOC...
docker.io/library/debian:buster-20230725-slim
INFO[2023-09-29T15:52:27Z] process_image.go:70 image scan &{imageName:docker.io/library/debian:buster-20230725-slim imageId: tempDir:/tmp/Deepfence/YaraHunter/df_dockeriolibrarydebianbuster20230725slim imageManifest:{Config: RepoTags:[] Layers:[] LayerIds:[]} numIOCs:0}
INFO[2023-09-29T15:52:27Z] autodetect.go:181 connected successfully to endpoint: unix:///var/run/docker.sock
INFO[2023-09-29T15:52:35Z] autodetect.go:218 container runtime detected: docker
INFO[2023-09-29T15:52:37Z] process_image.go:631 Image docker.io/library/debian:buster-20230725-slim saved in /tmp/Deepfence/YaraHunter/df_dockeriolibrarydebianbuster20230725slim
INFO[2023-09-29T15:52:38Z] util.go:110 Deleting temporary dir /tmp/Deepfence/YaraHunter/df_dockeriolibrarydebianbuster20230725slim
INFO[2023-09-29T15:52:39Z] runner.go:125 result severity counts: {Total:28 High:16 Medium:3 Low:9}
summary:
  total=28 high=16 medium=3 low=9

{
  "Timestamp": "2023-09-29T15:52:39.049732262Z",
  "Image Name": "docker.io/library/debian:buster-20230725-slim",
  "Image ID": "e1b92a6f8d1298f27568bccc58adf390f553d579ccd5a1a65e6754787252a3c5",
  "Container ID": "",
  "IOC": [

Kubernetes Admission Controller

Use Case: I would like to protect my Kubernetes cluster by preventing the deployment of containers that appear to contain malware.

Requirement: a "validating" Kubernetes admission controller that executes IOCScanner against workloads and prevents the deployment of workloads that appear to contain malware.

https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/

Documentation requirements:

HOWTO documentation
Explanation of logging in success and failure cases, to assist troubleshooting
Worked example, using a false-positive known-bad container that fails the IOCScan checks
HOWTO configure Admission Controller to skip tests for certain containers ("in emergency, break glass"), for example, not blocking deployment of containers with certain labels.

User-provided YARA rules

Rules are currently hardcoded in scan/filescan.yar. Users who want to use their own rules will need to build the container from scratch and add their rules into that file.

We should offer a simple means for users to provide their own rules, without needing to rebuild or edit the container image. Something in config.yaml or a CLI option for deepfence-ioc-scanner would be appropriate.

Example use case: I want to use the prebuilt IOCScanner image with a subset of the rules in https://github.com/Yara-Rules/rules to scan containers and filesystems.

Progress output from YaRadare is not valid JSON

As YaRadare runs, it outputs progress information that appears to be JSON-formatted, but is not valid JSON. A user could easily be confused into believing the output can be processed as JSON.

Compare the output from the following two invocations of YaRadare:

# Capture output to the terminal and save in /tmp/output-1.txt
docker run -i --rm --name=deepfence-yaradare -v /var/run/docker.sock:/var/run/docker.sock deepfenceio/deepfence-yaradare:latest --image-name node:latest > /tmp/output-1.txt

# Instruct YaRadare to save output to /tmp/output-2.txt
docker run -i --rm --name=deepfence-yaradare -v /var/run/docker.sock:/var/run/docker.sock -v /tmp:/home/deepfence/output deepfenceio/deepfence-yaradare:latest --image-name node:latest --json-filename=output-2.txt

/tmp/output-2.txt is valid JSON.

/tmp/output-1.txt appears to be JSON, but is instead a stream of JSON-like progress reports (where some values are not quoted), followed by an empty IOC list.

IOCScanner naming

TODO: determine a project name before we publish.

Deepfence naming convention: Noun:Verber (e.g. ThreatMapper, PacketStreamer, FlowMeter...)

Candidate Noun: IOC, Malware
Candidate Verber: Scanner, Hunter, Finder

Analysis:

	Exists?	Google (N V, “N-V”, “NV”)	GitHub “NV” (repos, code)
IOCScanner	No significant products with this name, but it is a common description for tools ("SolarWinds IOC Scanner" etc")	0.6m, 3930, 246	6, 77
IOCHunter (“IO Chunter?)	https://pypi.org/project/ioc-hunter/ https://twitter.com/su13ym4n/status/1184015983024975872?lang=en	6.6m, 6320, 101	0, 0
IOCFinder	https://fireeye.market/apps/211408 https://github.com/fhightower/ioc-finder (active, 96*)	1.2m, 3360, 243	0, 20
MalwareScanner	https://www.kitploit.com/2022/04/malwarescanner-simple-malware-scanner.html https://github.com/password123456/malwarescanner (quiet, 51*)	71m, 557k, 26k	18, 1004
MalwareHunter	https://github.com/abdesslem/malwareHunter (dead, 47) https://github.com/jgajek/MalwareHunter (dead, 10)	2.9m, 594k, 10.8k	3, 79
MalwareFinder	https://github.com/HookJordan/MalwareFinder (dead, 5*)	33m, 14k, 301	3, 44

Recommendations

IOC is a little obtuse and is not 100% accurate; for example, in ThreatStryker, we use IOCs to refer to events. Malware is more recognisable and is the term that Yara uses to describe the artefacts it detects (see https://virustotal.github.io/yara/).

MalwareScanner is very generic. MalwareHunter or MalwareFinder might be appropriate.

Happy to consider other Noun and Verber ideas

[feat]:Docker extension for YaraHunter

Design and develop docker extension for YaraHunter with following features.

Ability to list all images present locally
Ability to run malware scans on selected image
Result in human readable table format instead of JSON
In-depth details of each scan result

Pre-launch tasks - README and standards

Update README.md
Check community standards - licence, contributing, security, issue templates etc

Output from IOCScanner is not tidy

The default output from IOCScanner should be easily machine-readable.

The current output is written to stdout, and resembles the following:

$ docker run -it --rm --name=deepfence-ioc-scanner -v $(pwd):/home/deepfence/output -v /var/run/docker.sock:/var/run/docker.sock deepfenceio/deepfence-ioc-scanner:latest -image-name deepfenceio/deepfence-ioc-scanner:latest
Initializing....
Scanning image deepfenceio/deepfence-ioc-scanner:latest for IOC...
INFO[2022-06-30 13:00:00] trying to connect to endpoint 'unix:///var/run/docker.sock' with timeout '10s'
INFO[2022-06-30 13:00:00] connected successfully using endpoint: unix:///var/run/docker.sock
INFO[2022-06-30 13:00:00] trying to connect to endpoint 'unix:///run/containerd/containerd.sock' with timeout '10s'
WARN[2022-06-30 13:00:10] could not connect to endpoint 'unix:///run/containerd/containerd.sock': context deadline exceeded
INFO[2022-06-30 13:00:10] trying to connect to endpoint 'unix:///run/k3s/containerd/containerd.sock' with timeout '10s'
WARN[2022-06-30 13:00:20] could not connect to endpoint 'unix:///run/k3s/containerd/containerd.sock': context deadline exceeded
INFO[2022-06-30 13:00:20] container runtime detected: docker
Scanning image /tmp/Deepfence/IOCScanning/df_deepfenceiodeepfenceiocscannerlatest/save-output.tar for IOCs...
include filescan.yar
include filescan.yar
include filescan.yar
include filescan.yar
include filescan.yar
include filescan.yar
include filescan.yar
[{description This rule is looking for B64 offsets of LazyNetToJscriptLoader which is a namespace specific to the internal version of the GadgetToJScript tooling.} {md5 7af24305a409a2b8f83ece27bb0f7900} {rev 4} {author FireEye}]
[{description Identifies GoRat malware in memory based on strings.} {md5 3b926b5762e13ceec7ac3a61e85c93bb} {rev 1} {author FireEye}]
[{date_created 2020-12-01} {date_modified 2020-12-01} {md5 d5d3d23c8573d999f1c48d3e211b1066} {rev 1} {author FireEye}]
[{date_created 2020-11-27} {date_modified 2020-11-27} {md5 d0a830403e56ebaa4bfbe87dbfdee44f} {rev 1} {author FireEye}]
[{author FireEye}]
[{author Akamai CSIRT} {description Rule to detect XOR DDos infection}]
    {
      "Image Layer ID": "76bf69f202ff803d5f037e1d2407965e6ed2e387ce887fcf05d7fbd1b415409a",
      "Matched Rule Name": "Hunting_GadgetToJScript_1",
      "String to Match": [   $s1 $s2 $s3],
      "Content to Match": ",,,GF6eU5ldFRvSnNjcmlwdExvYWRl,henlOZXRUb0pzY3JpcHRMb2Fk,YXp5TmV0VG9Kc2NyaXB0TG9hZGV",
      "Severity": "high",
      "Severity Score": 10.00,
      "Full File Name": "/tmp/Deepfence/IOCScanning/df_deepfenceiodeepfenceiocscannerlatest/ExtractedFiles/76bf69f202ff803d5f037e1d2407965e6ed2e387ce887fcf05d7fbd1b415409a/home/deepfence/usr/filescan.yar",
      "Match Rule Meta": [   value: This rule is looking for B64 offsets of LazyNetToJscriptLoader which is a namespace specific to the internal version of the GadgetToJScript tooling. value: 7af24305a409a2b8f83ece27bb0f7900 value: 4 value: FireEye],
    },
    {
      "Image Layer ID": "76bf69f202ff803d5f037e1d2407965e6ed2e387ce887fcf05d7fbd1b415409a",
      "Matched Rule Name": "APT_Backdoor_Win_GoRat_Memory",
      "String to Match": [                    $murica $murica $murica $murica $murica $murica $rat1 $rat1 $rat2 $rat3 $rat4 $rat5 $rat6 $rat7 $rat8 $rat9 $rat9 $rat10 $rat11 $winblows],
      "Content to Match": ",,,,,,,,,,,,,,,,,,,,murica,murica,murica,murica,murica,murica,rat/modules/socks.(*HTTPProxyClient).beacon,rat/modules/socks.(*HTTPProxyClient).beacon,rat.(*Core).generateBeacon,rat.gJitter,rat/comms.(*protectedChannel).SendCmdResponse,rat/modules/filemgmt.(*acquire).NewCommandExecution,rat/modules/latlisten.(*latlistensrv).handleCmd,rat/modules/netsweeper.(*netsweeperRunner).runSweep,rat/modules/netsweeper.(*Pinger).listen,rat/modules/socks.(*HTTPProxyClient).beacon,rat/modules/socks.(*HTTPProxyClient).beacon,rat/platforms/win/dyloader.(*memoryLoader).ExecutePluginFunction,rat/platforms/win/modules/namedpipe.(*dummy).Open,rat/platforms/win.(*winblows).GetStage",
      "Severity": "high",
      "Severity Score": 10.00,
      "Full File Name": "/tmp/Deepfence/IOCScanning/df_deepfenceiodeepfenceiocscannerlatest/ExtractedFiles/76bf69f202ff803d5f037e1d2407965e6ed2e387ce887fcf05d7fbd1b415409a/home/deepfence/usr/filescan.yar",
      "Match Rule Meta": [                    value: Identifies GoRat malware in memory based on strings. value: 3b926b5762e13ceec7ac3a61e85c93bb value: 1 value: FireEye],
    },
    {
      "Image Layer ID": "76bf69f202ff803d5f037e1d2407965e6ed2e387ce887fcf05d7fbd1b415409a",
      "Matched Rule Name": "Trojan_Macro_RESUMEPLEASE_1",
      "String to Match": [      $str00 $str01 $str02 $str03 $str04 $str05],
      "Content to Match": ",,,,,,For Binary As,Range.Text,Environ(,CByte(,.SpawnInstance_,.Create(",
      "Severity": "high",
      "Severity Score": 10.00,
      "Full File Name": "/tmp/Deepfence/IOCScanning/df_deepfenceiodeepfenceiocscannerlatest/ExtractedFiles/76bf69f202ff803d5f037e1d2407965e6ed2e387ce887fcf05d7fbd1b415409a/home/deepfence/usr/filescan.yar",
      "Match Rule Meta": [      value: 2020-12-01 value: 2020-12-01 value: d5d3d23c8573d999f1c48d3e211b1066 value: 1 value: FireEye],
    },
    {
      "Image Layer ID": "76bf69f202ff803d5f037e1d2407965e6ed2e387ce887fcf05d7fbd1b415409a",
      "Matched Rule Name": "APT_Builder_PY_REDFLARE_1",
      "String to Match": [       $1 $2 $3 $4 $5 $6 $7],
      "Content to Match": ",,,,,,,LOAD_OFFSET_32 = 0x612,LOAD_OFFSET_64 = 0x611,class RC4:,struct.pack('\u003cQ' if is64b else '\u003cL',stagerConfig['comms']['config'],_x86.dll,_x64.dll",
      "Severity": "high",
      "Severity Score": 10.00,
      "Full File Name": "/tmp/Deepfence/IOCScanning/df_deepfenceiodeepfenceiocscannerlatest/ExtractedFiles/76bf69f202ff803d5f037e1d2407965e6ed2e387ce887fcf05d7fbd1b415409a/home/deepfence/usr/filescan.yar",
      "Match Rule Meta": [       value: 2020-11-27 value: 2020-11-27 value: d0a830403e56ebaa4bfbe87dbfdee44f value: 1 value: FireEye],
    },
    {
      "Image Layer ID": "76bf69f202ff803d5f037e1d2407965e6ed2e387ce887fcf05d7fbd1b415409a",
      "Matched Rule Name": "APT_Backdoor_PS1_BASICPIPESHELL_1",
      "String to Match": [      $s1 $s2 $s3 $s4 $s5 $s6],
      "Content to Match": ",,,,,,function Invoke-Client(),function Invoke-Server,Read-Host 'Enter Command:',new-object System.IO.Pipes.NamedPipeClientStream(,new-object System.IO.Pipes.NamedPipeServerStream(, = iex $",
      "Severity": "high",
      "Severity Score": 10.00,
      "Full File Name": "/tmp/Deepfence/IOCScanning/df_deepfenceiodeepfenceiocscannerlatest/ExtractedFiles/76bf69f202ff803d5f037e1d2407965e6ed2e387ce887fcf05d7fbd1b415409a/home/deepfence/usr/filescan.yar",
      "Match Rule Meta": [      value: FireEye],
    },
    {
      "Image Layer ID": "76bf69f202ff803d5f037e1d2407965e6ed2e387ce887fcf05d7fbd1b415409a",
      "Matched Rule Name": "XOR_DDosv1",
      "String to Match": [       $st0 $st1 $st2 $st3 $st4 $st5 $st6],
      "Content to Match": ",,,,,,,BB2FA36AAA9541F0,md5=,denyip=,filename=,rmfile=,exec_packet,build_iphdr",
      "Severity": "high",
      "Severity Score": 10.00,
      "Full File Name": "/tmp/Deepfence/IOCScanning/df_deepfenceiodeepfenceiocscannerlatest/ExtractedFiles/76bf69f202ff803d5f037e1d2407965e6ed2e387ce887fcf05d7fbd1b415409a/home/deepfence/usr/filescan.yar",
      "Match Rule Meta": [       value: Akamai CSIRT value: Rule to detect XOR DDos infection],
    }include filescan.yar
include filescan.yar
{
  "Timestamp": "2022-06-30 13:00:31.400542592 +00:00",
  "Image Name": "deepfenceio/deepfence-ioc-scanner:latest",
  "Image ID": "6ad57ca08f568fc315a41354aeb18d3279e3165c7671134822c26ae088bedff4",
  "IOC": [

  ]
}

Recommendations

Scan results must go to STDOUT, and be a single JSON document
Diagnostic output (INFO and the like) must go to STDERR
All diagnostic messages should be prefixed by INFO/WARN etc and a timestamp

Default log level should be ERROR, so no messages are sent to STDERR on a successful scan

Rationale

This:

follows standard unix practices for non-interactive scripts
results in human-readable output (diagnostics and output are equally visible in the terminal)
is easy to machine-parse (you can pipe to another tool e.g. jq and the output is not corrupted by diagnostics)

json-filename and output-path options have no apparent effect

The help text says:

 -json-filename string
    	Output json file name. If not set, it will automatically create a filename based on image or dir name
  -output-path string
    	Output directory where json file will be stored. If not set, it will output to current directory

Neither of these two runtime options have an obvious effect. JSON output is written to stdout by default. No files are created, and the output-path can be set to an invalid value (directory does not exist) with no ill effects.

Can we remove these two options?

If the intent is that we can output JSON to a file, then please replace these two options with a more typical --output option that specifies a file to write to.

Scan running Kubernetes containers

Requirement: I am running pods in Kubernetes and I have reason to suspect that one of the containers may have been compromised (high CPU, unexpected network, or just a desire for routine verification). I wish to run IOCScanner against workloads on my Kubernetes cluster.

Use Cases:

Run IOCScanner against a single container (provide container ID, pod ID, node ID): IOCScanner scans that single container
Run IOCScanner against a named pod (provide pod ID): IOCScanner locates that pod on the cluster and scans the containers within
Run IOCScanner against a named selector (e.g. service name, label etc): IOCScanner locates all matching pods and scans all of the containers within

Documentation Requirements:

How to satisfy each use case interactively and identify potentially-compromised workloads
How to satisfy each use case non-interactively and identify potentially-compromised workloads

Support remote registries

Use case: I am planning to deploy a container to production. I wish to scan this container for IOCs beforehand.

Workaround: I can pull the container from its remote location, and then scan the local copy:

docker pull node:10.19
docker run -it --rm --name=deepfence-ioc-scanner \
    -v /var/run/docker.sock:/var/run/docker.sock \
    deepfenceio/deepfence-ioc-scanner:latest -image-name node:10.19
docker rmi node:10:19

I would like to be able to scan the image directly:

docker run -it --rm --name=deepfence-ioc-scanner \
    -v /var/run/docker.sock:/var/run/docker.sock \
    deepfenceio/deepfence-ioc-scanner:latest -image-name node:10.19

... and for the scanner to pull and delete the image automatically.

Slow startup

When using yarahunter with docker run it's very slow to start because it's waiting for all supported sockets to time out before picking a working one. Note there are 20seconds between "connected successfully using endpoint" and "container runtime detected: docker":

% docker run -it --rm -v /var/run/docker.sock:/var/run/docker.sock -v $PWD/tmp:/home/deepfence/output deepfenceio/yara-hunter:latest --image-name alpine:edge --json-filename=scan.json
copied size 384
copied size 1033730
server inside23 port {0xc0004dfa38 0xc0004a93c0 0xc0004df8d8 0xc0004a93d0 0xc0004a93e0 0xc0004a93f0 0xc0004a9400 0xc0004a9410 0xc0004a9420 0xc0004a9430 0xc0004df8e8 0xc0004a9440 0xc0004a9450 0xc0004a9460 0xc0004a9470 0xc0004a9480 0xc0004a93b0 0xc0004df8c8}
INFO[2022-12-11 23:53:32] trying to connect to endpoint 'unix:///var/run/docker.sock' with timeout '10s' 
INFO[2022-12-11 23:53:32] connected successfully using endpoint: unix:///var/run/docker.sock 
INFO[2022-12-11 23:53:32] trying to connect to endpoint 'unix:///run/containerd/containerd.sock' with timeout '10s' 
WARN[2022-12-11 23:53:42] could not connect to endpoint 'unix:///run/containerd/containerd.sock': context deadline exceeded 
INFO[2022-12-11 23:53:42] trying to connect to endpoint 'unix:///run/k3s/containerd/containerd.sock' with timeout '10s' 
WARN[2022-12-11 23:53:52] could not connect to endpoint 'unix:///run/k3s/containerd/containerd.sock': context deadline exceeded 
INFO[2022-12-11 23:53:52] container runtime detected: docker           
{
  "Timestamp": "2022-12-11 23:53:52.387706590 +00:00",
  "Image Name": "alpine:edge",
  "Image ID": "121d0da757518198deeb7d1df20aaae549834f8bc77195bbf5be1900c0144cff",
  "Malware match detected are": [

  ]
}

Correct filename reporting

A file scan match currently reports the filename as follows:

"File Name": "/tmp/Deepfence/IOCScanning/df_8196dd8ef273/usr/include/linux/bpf.h"

We should correct this to:

"File Name": "/usr/include/linux/bpf.h"
"Layer": "8196dd8ef273"

Scan for IOCs as during CI/CD as well as at runtime

Problem Statement:

Build a simple command line scanner which can be run in CI/CD plug-ins, at runtime to scan container images, running containers. hosts, volumes and more for known indicators of compromise pertaining to:

Cryptominers
Malware
Malicious files, binaries and packages
Live connections, and C2 activities
Any malicious traces in file systems, log files etc

Why?

Multiple reasons to do these as part of CI/CD and at runtime to figure out

Supply chain IOCs
Am I pwned checks on production infrastructure
No such tool exists for K8s and serverless so this fills a major gap

How?

YARA rule matching, its static but this seems to be the best way to exchange and add to community threat intel.