LOKI2 - Simple IOC and YARA Scanner

Related tags

Command-line scanner incident-response dfir iocs yara
Overview

LOKI2

LOKI - Simple IOC and YARA Scanner

Status

Work in Progress. This version is not ready for use. There's still some work to do for a first release.

Current tasks I'm working on:

  1. Cross-compilation for Windows - see this tweet for details. Maybe someone can help me with that build target configuration and the github workflow .github/workflows/build-linux-to-win.yml
  2. I'm trying to figure out the best layout to restructure the code in the project (package) into separate files per feature
  3. I'm exploring the best way to store the initialized IOCs of variable size (unknown size at compile time)

What's already implemented

  • System reconnaissance (system and hardware information for the log)
  • Logging and formatting of the different log outputs
  • File system walk
  • File time evaluation (MAC timestamps)
  • Exclusions based on file characteristics
  • IOC initialization - hash values
  • IOC matching on files (hashes)
  • YARA rule initialization, syntax checks, and error handling
  • YARA scanning of files
  • YARA scanning of process memory

What's still to do

  • IOC initialization - file patterns
  • IOC initialization - C2 patterns (FQDN, IP)
  • IOC matching on files (file patterns)
  • C2 IOC matching (process connections)
  • File system walk exceptions: network drivers, mounted drives etc.
  • Custom exclusions (regex on file path)
  • Release workflows (automatically build and provide as release)

Setup Build Environment

Requirements

See the files in the folder .github/workflows for steps to setup a build environment for

  • Linux
  • macOS

Providing Signatures

git clone https://github.com/Neo23x0/signature-base ../signature-base/
ln -s ../signature-base/ ./signatures

Build

cargo build

Test Run

cargo build && ./target/debug/loki --help

Usage

Usage: loki [OPTIONS]

LOKI YARA and IOC Scanner

Options:
  -m, --max-file-size         Maximum file size to scan (default: 10000000)
  -s, --show-access-errors    Show all file and process access errors
  -c, --scan-all-files        Scan all files regardless of their file type / extension
  -d, --debug                 Show debugging information
  -t, --trace                 Show very verbose trace output
  -n, --noprocs               Don't scan processes
  -o, --nofs                  Don't scan the file system
  -f, --folder                Folder to scan
  -h, --help                  Show this help message.

Screenshots

LOKI 2 alpha version

Screenhot of Alpha Version

You might also like...
Small and simple CLI app to generate .editorconfig based on a given settings.

add-editorconfig Small and simple CLI app to generate .editorconfig based on a given settings. Usage # Will create an .editorconfig in the current dir

Reinaldy Rafli 3 Jan 16, 2022
A simple CLI for combining json and yaml files

A simple CLI for combining json and yaml files

Avencera 16 Jul 4, 2022
pt is a simple tabbed terminal built with gtk-rs and vte-rs.
pt is a simple tabbed terminal built with gtk-rs and vte-rs.

pt pt is a simple tabbed terminal built with gtk-rs and vte-rs. how to build You need to have gtk3 glib vte pcre2 dev packages installed on your syste

Alexander Polakov 5 Dec 8, 2021
A simple CLI to build VEXCode V5 Pro projects and download them to the V5 brain.

vexer A simple CLI to build VEXCode V5 Pro projects and download them to the V5 brain. (WIP) This currently is only tested on and only works on window

null 2 May 16, 2022
My solutions for the 2021 edition of the Advent of Code, using Rust and SOM (Simple Object Machine)

Advent of Code 2021 These are my solutions for the 2021 edition of the Advent of Code. The solutions are all implemented using both Rust and SOM (Simp

Nicolas Polomack 1 Dec 23, 2021
A simple, fast and interruptable download accelerator, written in Rust
A simple, fast and interruptable download accelerator, written in Rust

snatch A simple, fast and interruptable download accelerator, written in Rust WARNING This project is no longer maintained by @k0pernicus and @jean-se

Dernier Cri ® 657 Jan 3, 2023
Simple calculator REPL, similar to bc(1), with syntax highlighting and persistent history
Simple calculator REPL, similar to bc(1), with syntax highlighting and persistent history

eva simple calculator REPL, similar to bc(1), with syntax highlighting and persistent history installation Homebrew $ brew install eva crates.io $ car

Akshay 632 Jan 4, 2023
Easy, Simple, Clean. Making status bars reliable and up-to-date.

Simple Status Easy, Simple, Clean. Making status bars reliable and up-to-date. Installation Compiling simple_status yourself doesn't require much. Ins

James Butcher 5 Aug 1, 2022
This is a simple command line application to convert bibtex to json written in Rust and Python

bibtex-to-json This is a simple command line application to convert bibtex to json written in Rust and Python. Why? To enable you to convert very big

null 3 Mar 23, 2022
Owner
Florian Roth
#DFIR #Sigma #YARA #Rust #Python #Go
Florian Roth
GitHub
YARI - An interactive debugger for YARA Language

Interactive debugger for the YARA language written in Rust. Debugger directly calls libyara avoiding emulation to get the most accurate results.

Avast 74 Dec 7, 2022
python dependency vulnerability scanner, written in Rust.

?? Pyscan A dependency vulnerability scanner for your python projects, straight from the terminal. ?? blazingly fast scanner that can be used within l

Aswin. 80 Jun 4, 2023
High-Speed Memory Scanner & Analyzer with REST API.

memory-server High-Speed Memory Scanner & Analyzer with REST API. Usage iOS Jailbreaking of iphone is required. Place your PC and iphone in the same n

Kenjiro Ichise 8 Jul 12, 2023
RustVulnsScan is a powerful system vulnerability scanner written in Rust

RustVulnsScan is a powerful system vulnerability scanner written in Rust. It allows you to perform comprehensive scans of your system to identify potential vulnerabilities and security risks.

null 2 Jul 2, 2023
a simple program that you can scrap, is shit and really simple but is cool.

if you want to run it you need to have installed curl by default scrap youtube, but you can change it, also change the number of threads and run: carg

pai 7 Oct 15, 2021
This is a simple lnd poller and web front-end to see and read boosts and boostagrams.

Helipad This package will poll a Lightning LND node for invoices related to Podcasting 2.0 and display them in a web interface. It's intended for use

Podcastindex.org 26 Dec 29, 2022
🗄️ A simple (and safe!) to consume history of Client and Studio deployment versions.

??️ Roblox Version Archive A simple (and safe!) to consume history of Client and Studio deployment versions. About Parsing Roblox's DeployHistory form

Brooke Rhodes 4 Dec 28, 2022
Simple template to use csr and ssr leptos with tauri for ios/android/windows/macos/linux and web dev

Tailwind-Leptos-Tauri Template Simple template to use csr and ssr leptos with tauri for ios/android/windows/macos/linux and web dev Just clone the rep

Victor Batarse 11 Mar 10, 2024
fd is a program to find entries in your filesystem. It is a simple, fast and user-friendly alternative to find

fd is a program to find entries in your filesystem. It is a simple, fast and user-friendly alternative to find. While it does not aim to support all of find's powerful functionality, it provides sensible (opinionated) defaults for a majority of use cases.

David Peter 25.9k Jan 9, 2023
A CLI for fast and simple TODOs

taskus: a simple, but powerful TODO CLI taskus is a tool for managing TODOs. It has support for most operating systems. Shell completions are availabl

Megumin 2 Oct 27, 2021