I’m thrilled to announce the release of Fibratus 0.7.0. Let’s see what’s new in this version.

YARA integration

This release stems a new set of features I’ve decided to call bindings. They represent join-points between fibratus and other tools that can add additional insights to the data captured from kernel. The first of them is the integration with the Yara tool. The rule matching phase is triggered when process creation kernel event is detected. The image path of the created process is evaluated against the available rule set. If a match occurs, the CreateProcess event is enriched with rule context information (the matching rule, rule meta information, data strings etc). Here is the example of the produced JSON payload:

{
   "pid":8100,
   "params":{
      "pid":2628,
      "exe":"C:\\WINDOWS\\system32\\notepad.exe",
      "name":"notepad.exe",
      "comm":"\"C:\\WINDOWS\\system32\\notepad.exe\" ",
      "ppid":8100,
      "rule_info":{
         "rule":"test",
         "meta":{
            "weight":3,
            "version":"0.1",
            "author":"rabbitstack"
         },
         "namespace":"default",
         "strings":[
            {
               "data":"notepad",
               "identifier":"$magic",
               "offset":118820
            },
            {
               "data":"notepad",
               "identifier":"$magic",
               "offset":137751
            }
         ],
         "tags":[
            "Notepad",
            "raw"
         ]
      }
   },
   "cpuid":2,
   "proc":"explorer.exe",
   "name":"CreateProcess",
   "timestamp":"2017-03-22 20:09:31.513000",
   "id":4
}

To enable the YARA binding , you need to edit fibratus.yml configuration descriptor. Under the yara binding section, the path key has to point to a valid path with a directory containing rule definitions. I’m not sure if this is a bug or limitation of the yara cython extension, but if the root directory is traversed recursively with multiple directories containing the yar files, the matching might not work as expected.

Standalone installer

I have to be honest about the drawbacks of installing fibratus from PyPI. The kernel stream collector needs to be compiled and in order to do it the C compiler has to be present on the local machine. Obviously, the python interpreter and the cython package are also the required dependencies to install fibratus successfully. Over and above that, the installation of yara-python package doesn’t go smoothly on Windows, so I ended up compiling libyara from sources which produces the statically linked library required by yara-python. To overcome all those after-mentioned tedious tasks, from this release on, I’ll be shipping the windows installer which embeds python interpreter, cython extensions and any extra dependency in a single binary, so installing fibratus becomes a matter of few clicks. Feel free to download the latest version here.

If you have any feedback or would like to contribute you can reach out via Github or drop me an email.

Enjoy this new release!