Vscan/vscan-scan-dir
You are here: | vscan-scan-dir
|
Description
Recursively scan a directory using filters and sensors. This utility uses a configuration file named ./config.lua.
Usage
config.lua configuration file
Description
Several vscan* commands read configuration data from a file named ./config.lua. This file is written in the Lua language.
In several places, the configuration format calls for strings describing regular expressions. These strings should use the Google RE2 regular expression.
Variable: filenames
- nil
- Default. Scan all files
- filenames = nil
- "regular_expression"
- Filter files from the extension. For example:
- filenames = "^.*(?i:htm|html|[aj]sp[a-z]?|js|php|xml)$"
Variable: mode
- search
- Default mode. Applies configured sensors to input samples
- collect
- Appends input samples to a compressed tarball for offline analysis
Variable: last_modified
- nil
- Default. All files should be scanned, regardless of their mtime
- "YYYYmmdd"
- Only files whose mtime is newer than the specified date should be scanned.
- e.g. last_modified = "20130201"
Variable: sensors
- { ... }
- Required. Table mapping sensor name strings to RE2 regex pattern strings.
- e.g.: sensors = { ["old_hash"] = "(?ims:md[245])" }
Full example
filenames = "^.*(?i:htm|html|[aj]sp[a-z]?|js|php|xml)$" last_modified = nil sensors = { ["re_script"] = "[^=]=RegExp;", ["ev_script"] = "eval\\([A-Za-z0-9]+\\)", ["ru_script"] = "(?ims:<script[^>]*?\\.ru[^>]*?>)", ["ss_script"] = "<script src=[^>]*?(?i:php|js)[^>]*>", ["nu_script"] = "(?ms:(?:[x0-9]+[+/*\\-]+[x0-9]+,){10,})", ["base64" ] = "base64_decode([^)]*)", ["ck_script"] = "<script>check_content\\(\\)</script>", ["un_script"] = "(?ims:unescape\\([^)]*?\\))", ["9t_script"] = "}}}eval\\([a-z]\\);}}", ["07_script"] = "000007\\.ru", ["ar_script"] = "cheapairliney\\.info", ["wk_script"] = "<script[^<]*?wkoder[^>]*>", ["bh_script"] = "document\\.write\\(unescape\\(''\\)\\+unescape\\('%3C'\\)\\+String.fromCharCode\\(105\\)", ["fc_script"] = "eval\\(\"String.fromCharCode", ["pn_script"] = "document.write\\(\"<if[^)]*\\)", ["rd_script"] = "document.write\\([A-Za-z0-9]+\\(.[0-9A-Fa-f]+.\\)\\)", ["ht_script"] = "(?ims:</html>.*?<script>.*$)", ["al_tag" ] = "(?ims:<[a-z0-9]{14,}>)", ["ez_iframe"] = "(?ims:<iframe[^>]*>)", ["dn_iframe"] = "(?ims:<div style=\"display:none\">[^<]*<iframe.*?(?:/>|</iframe>))", ["vh_iframe"] = "(?ims:<iframe[^>]*?visibility: ?hidden)", ["c162_iframe"] = "id=\"c162\"", ["tx_iframe"] = "(?ims:textarea[^<]*?iframe[^<]*<)", ["go_iframe"] = "goooogleadsence.biz", ["ol_iframe"] = "<iframe[^>]*?onload[^>]*>", ["uknmv1" ] = "UKNMV1", ["wr1ite" ] = "wr1ite", ["glondis" ] = "glondis.cn", ["afterhtml"] = "(?ims:</html>.*[^ \t\r\n].*$)", ["eroticweb"] = "(?ims:eroticweb\\.ru)", ["gifimg_str"] = "gifimg\\.php", ["fdc_str"] = "fairwaydrycleaners", }
Syntax
$ vscan-scan-dir <dir>
Output
Search mode
In search mode, vscan-scan-dir writes its results to stdout. Each result consists of a line starting with a typecode followed by one or more space-delimited fields. The possible lines are:
- F <qpath> <feature> <capture>
- Features
- P <qpath> <feature>+
- Path summaries
- C <qpath> <num dirs> <num files> <num interesting>
- Count statistics
- E <freeform text>
- Errors
Fields with label qpath and captures are percent-encoded.
Collect mode
In collect mode, vscan-scan-dir writes samples of files with interesting names to a compressed tarball in ./examples.tar.gz. These samples can be scanned offline with vscan-scan-tarball and can be archived for longitudinal analysis.
Example
Let's say we have a directory containing malicious files, some of which are executable. We can use following configuration file to identify them:
$ cat > config.lua << EOF last_modified = nil sensors = { ["exe_file"] = "This program cannot be run in DOS mode", } EOF
Now, let's scan our directory:
$ vscan-scan-dir /data/exploits F /data/exploits/arru%2Eexe exe_file This%20program%20cannot%20be%20run%20in%20DOS%20mode P /data/exploits/arru%2Eexe exe_file F /data/exploits/setup%5B1%5D%2Eexe exe_file This%20program%20cannot%20be%20run%20in%20DOS%20mode P /data/exploits/setup%5B1%5D%2Eexe exe_file F /data/exploits/nuxninqynkow%2Eexe exe_file This%20program%20cannot%20be%20run%20in%20DOS%20mode P /data/exploits/nuxninqynkow%2Eexe exe_file [REMOVED] C /data/exploits 1 223 220
We can export the results in a file to be then able to display statistics:
$ vscan-scan-dir /data/exploits > results $ vscan-summarize results Summary: 0 exe_file 165 $ vscan-report [sig] total [ 0] exe_file 165 165