A minimalistic cross-platform malware scanner with non-blocking realtime filesystem monitoring using YARA rules.

Overview

Sauron is a minimalistic, YARA based malware scanner with realtime filesystem monitoring written in Rust.

Features

  • Realtime scan of created and modified files supporting Linux inotify, macOS FSEvents, Windows ReadDirectoryChanges and polling for other platforms.
  • YARA engine complete support.
  • Single scan mode to scan a folder, report results and exit.
  • Parallel scanning using a configurable thread pool.
  • Log, text and JSON reporting.

Known Limitations

Due to the filesystem monitoring mechanism, Sauron is extremely lightweight and non invasive as more sophisticated AV solutions, however this comes with the following limitations:

  • Scanning files with an exclusive lock by other processes will likely fail with a Permission Denied error.
  • Malicious files creation and execution won't be blocked but just reported.
  • Fileless malware won't be detected.
  • Detected files won't be linked to originating processes.

Building

cargo build --release

Dependencies

Your system must have libssl-dev installed. For Ubuntu-derivatives this can be installed via sudo apt install libssl-dev.

Running

Assuming you have your YARA rules in ./yara-rules (you can find plenty of free rules online):

sudo ./target/release/sauron --rules ./yara-rules

screenshot

Single Scan

Alternatively you can perform a one-time recursive scan of the specified folder using the --scan argument:

sudo ./target/release/sauron --rules ./yara-rules --scan --root /path/to/scan

You can specify which file extensions to scan (all by default) with the --ext argument:

sudo ./target/release/sauron \
    --rules ./yara-rules \
    --scan \
    --root /path/to/scan \
    --ext exe \
    --ext elf \
    --ext doc \
    --ext docx

Reporting

Various options are available for reporting:

  • --report-clean will also report clean files.
  • --report-errors explicitly report errors (reported as debug logs by default).
  • --report-output <FILENAME> will write scan reports to a file.
  • --report-json if --report-output is passed, write as JSON instead of text.

Other options

Run sauron --help for the complete list of options.

License

This project is made with by @evilsocket and it is released under the GPL3 license.

You might also like...
Cross-platform Secure TUI Secret Locker
Cross-platform Secure TUI Secret Locker

SafeCloset keeps your secrets in password protected files. SafeCloset is designed to be convenient and avoid common weaknesses like external editing o

 DexiosGUI - Simple cross-platform drag-and-drop Dexios file encryption
DexiosGUI - Simple cross-platform drag-and-drop Dexios file encryption

DexiosGUI Simple cross-platform drag-and-drop Dexios file encryption. Latest Windows x64 release is here. DexiosGUI is a Qt/C++ app for encrypt and de

Cross-platform atomic wait and wake (aka futex) functionality for Rust.

Cross platform atomic wait and wake (aka futex) functionality. This crate only supports functionality that's available on all of Linux, Windows, and m

A simple to use, cross-platform aes encryption

About Project End to End encryption (AES) for multiple languages (cross-platform) with CBC Icon Item 🥳 Upcoming ⚖️ License 📝 ChangeLog Usage (rust)

A fast, simple and powerful open-source cross platform utility tool for generating strong, unique and random passwords

password-generator-pro A fast, simple and powerful open-source cross platform utility tool for generating strong, unique and random passwords. Feature

CLI password manager with encryption: AES256, Salsa20 and Chacha20, with cross platform and exclusive features
CLI password manager with encryption: AES256, Salsa20 and Chacha20, with cross platform and exclusive features

Keep My House (CLI) CLI password manager with encryption: AES256, Salsa20 and Chacha20, with cross platform and exclusive features Features AES256 GCM

Cross-platform user interface framework for Rust.

Viewbuilder Examples Cross-platform user interface framework for Rust. This crate provides an HTML-like render API for the backend of a UI. It's built

A Peer-to-Peer cross-platform clipboard syncing tool.

p2p-clipboard p2p-clipboard is a Peer-to-Peer cross-platform clipboard syncing tool. It enables users to synchronize clipboard contents across multipl

Metaplex is a protocol built on top of Solana that allows: Creating/Minting non-fungible tokens;
Metaplex is a protocol built on top of Solana that allows: Creating/Minting non-fungible tokens;

Metaplex is a protocol built on top of Solana that allows: Creating/Minting non-fungible tokens; Starting a variety of auctions for primary/secondary

Comments
  • Compile sauron on Debian 11 fails (workaround)

    Compile sauron on Debian 11 fails (workaround)

    Rust version on Debian 11 to old => compile fails.

    Workaround:

    Install newer version of rust and some dependencies as follows

    git clone https://github.com/evilsocket/sauron.git
    cd sauron
    sudo apt remove rustc-mozilla
    sudo apt install curl build-essential gcc make libssl-dev libclang1 clang -y
    # local user install of rust
    curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | s
    source "$HOME/.cargo/env"
    cargo build --release
    
    opened by tietjen 0
Owner
Simone Margaritelli
Simone Margaritelli
Converts a MO loadorder to loot rules for manual loadorders

lootifier Converts a Mod Organizer loadorders to loot rules for manual loadorders Long Description This tool is meant for people who want to share mod

alsa 4 Nov 12, 2022
ARYA Network is a polkadot/substrate based chain for Non-fungible Token platform on which we can own sell and buy the NFT's on polkadot network.

ARYA Network ARYA Network is a polkadot/substrate based chain for Non-fungible Token platform on which we can own sell and buy the NFT's on polkadot n

Pankaj Chaudhary 6 Dec 20, 2022
Rusty Hog is a secret scanner built in Rust for performance, and based on TruffleHog which is written in Python.

Rusty Hog is a secret scanner built in Rust for performance, and based on TruffleHog which is written in Python. Rusty Hog provides the following bina

New Relic 306 Jan 4, 2023
This is my home environment setup for monitoring temperature and humidity

Home EnViroNment Motivation This is my IoT temperature and humidity monitoring solution for where i live. I found it cheaper to go buy sensors and hoo

Fredrik 1 Jan 5, 2022
Ingraind - a security monitoring agent built around RedBPF for complex containerized environments and endpoints.

ingraind is a security monitoring agent built around RedBPF for complex containerized environments and endpoints. The ingraind agent uses eBPF probes to provide safe and performant instrumentation for any Linux-based environment.

KingoOo 5 Apr 6, 2022
Minimalistic governance & ledger toolkit for cold wallets

Minimalistic ledger and governance toolkit for cold wallets.

DFINITY 66 Dec 20, 2022
Minimalistic EVM-compatible chain indexer.

EVM Indexer Minimalistic EVM-compatible blockchain indexer written in rust. This repository contains a program to index helpful information from any E

Kike B 14 Dec 24, 2022
Minimalistic EVM-compatible chain indexer.

EVM Indexer Minimalistic EVM-compatible blockchain indexer written in rust. This repository contains a program to index helpful information from any E

LlamaFolio 11 Dec 15, 2022
A Minimalistic Rust library to extract all potential function selectors from EVM bytecode without source code.

EVM Hound A Minimalistic Rust library to extract all potential function selectors from EVM bytecode without source code. Installation $ cargo add evm_

null 34 Dec 3, 2023
The protocol are designed and made for the future of cross-IP, cross-chain metaverse.

Avatar-protocol 化身协议 This project demonstrates how to use the Solana Javascript API to interact with programs on the Solana blockchain. The project co

Wind-protocol 1 Jan 10, 2022