Vscan/vscan-scan-dir

From aldeid
Jump to navigation Jump to search
You are here:
vscan-scan-dir

Description

Recursively scan a directory using filters and sensors. This utility uses a configuration file named ./config.lua.

Usage

config.lua configuration file

Description

Several vscan* commands read configuration data from a file named ./config.lua. This file is written in the Lua language.

In several places, the configuration format calls for strings describing regular expressions. These strings should use the Google RE2 regular expression.

Variable: filenames

nil
Default. Scan all files
filenames = nil
"regular_expression"
Filter files from the extension. For example:
filenames = "^.*(?i:htm|html|[aj]sp[a-z]?|js|php|xml)$"

Variable: mode

search
Default mode. Applies configured sensors to input samples
collect
Appends input samples to a compressed tarball for offline analysis

Variable: last_modified

nil
Default. All files should be scanned, regardless of their mtime
"YYYYmmdd"
Only files whose mtime is newer than the specified date should be scanned.
e.g. last_modified = "20130201"

Variable: sensors

{ ... }
Required. Table mapping sensor name strings to RE2 regex pattern strings.
e.g.: sensors = { ["old_hash"] = "(?ims:md[245])" }

Full example

filenames = "^.*(?i:htm|html|[aj]sp[a-z]?|js|php|xml)$"
last_modified = nil
sensors = {
  ["re_script"]   =  "[^=]=RegExp;",
  ["ev_script"]   =  "eval\\([A-Za-z0-9]+\\)",
  ["ru_script"]   =  "(?ims:<script[^>]*?\\.ru[^>]*?>)",
  ["ss_script"]   =  "<script src=[^>]*?(?i:php|js)[^>]*>",
  ["nu_script"]   =  "(?ms:(?:[x0-9]+[+/*\\-]+[x0-9]+,){10,})",
  ["base64"   ]   =  "base64_decode([^)]*)",
  ["ck_script"]   =  "<script>check_content\\(\\)</script>",
  ["un_script"]   =  "(?ims:unescape\\([^)]*?\\))",
  ["9t_script"]   =  "}}}eval\\([a-z]\\);}}",
  ["07_script"]   =  "000007\\.ru",
  ["ar_script"]   =  "cheapairliney\\.info",
  ["wk_script"]   =  "<script[^<]*?wkoder[^>]*>",
  ["bh_script"]   =  "document\\.write\\(unescape\\(''\\)\\+unescape\\('%3C'\\)\\+String.fromCharCode\\(105\\)",
  ["fc_script"]   =  "eval\\(\"String.fromCharCode",
  ["pn_script"]   =  "document.write\\(\"<if[^)]*\\)",
  ["rd_script"]   =  "document.write\\([A-Za-z0-9]+\\(.[0-9A-Fa-f]+.\\)\\)",
  ["ht_script"]   =  "(?ims:</html>.*?<script>.*$)",
  ["al_tag"   ]   =  "(?ims:<[a-z0-9]{14,}>)",
  ["ez_iframe"]   =  "(?ims:<iframe[^>]*>)",
  ["dn_iframe"]   =  "(?ims:<div style=\"display:none\">[^<]*<iframe.*?(?:/>|</iframe>))",
  ["vh_iframe"]   =  "(?ims:<iframe[^>]*?visibility: ?hidden)",
  ["c162_iframe"] =  "id=\"c162\"",
  ["tx_iframe"]   =  "(?ims:textarea[^<]*?iframe[^<]*<)",
  ["go_iframe"]   =  "goooogleadsence.biz",
  ["ol_iframe"]   =  "<iframe[^>]*?onload[^>]*>",
  ["uknmv1"   ]   =  "UKNMV1",
  ["wr1ite"   ]   =  "wr1ite",
  ["glondis"  ]   =  "glondis.cn",
  ["afterhtml"]   =  "(?ims:</html>.*[^ \t\r\n].*$)",
  ["eroticweb"]   =  "(?ims:eroticweb\\.ru)",
  ["gifimg_str"]  =  "gifimg\\.php",
  ["fdc_str"]     =  "fairwaydrycleaners",
}

Syntax

$ vscan-scan-dir <dir>

Output

Search mode

In search mode, vscan-scan-dir writes its results to stdout. Each result consists of a line starting with a typecode followed by one or more space-delimited fields. The possible lines are:

F <qpath> <feature> <capture>
Features
P <qpath> <feature>+
Path summaries
C <qpath> <num dirs> <num files> <num interesting>
Count statistics
E <freeform text>
Errors

Fields with label qpath and captures are percent-encoded.

Collect mode

In collect mode, vscan-scan-dir writes samples of files with interesting names to a compressed tarball in ./examples.tar.gz. These samples can be scanned offline with vscan-scan-tarball and can be archived for longitudinal analysis.

Example

Let's say we have a directory containing malicious files, some of which are executable. We can use following configuration file to identify them: 

$ cat > config.lua << EOF
last_modified = nil
sensors = {
    ["exe_file"] = "This program cannot be run in DOS mode",
}
EOF

Now, let's scan our directory: 

$ vscan-scan-dir /data/exploits
F /data/exploits/arru%2Eexe exe_file This%20program%20cannot%20be%20run%20in%20DOS%20mode
P /data/exploits/arru%2Eexe exe_file
F /data/exploits/setup%5B1%5D%2Eexe exe_file This%20program%20cannot%20be%20run%20in%20DOS%20mode
P /data/exploits/setup%5B1%5D%2Eexe exe_file
F /data/exploits/nuxninqynkow%2Eexe exe_file This%20program%20cannot%20be%20run%20in%20DOS%20mode
P /data/exploits/nuxninqynkow%2Eexe exe_file
[REMOVED]
C /data/exploits 1 223 220

We can export the results in a file to be then able to display statistics: 

$ vscan-scan-dir /data/exploits > results
$ vscan-summarize results 
Summary: 
  0 exe_file 165
$ vscan-report 
     [sig]         total  [     0]
      exe_file       165       165

Comments

Retrieved from "https://www.aldeid.com/w/index.php?title=Vscan/vscan-scan-dir&oldid=22120"