I’m thrilled to announce the release of Fibratus 0.7.0. Let’s see what’s new in this version.
This release stems a new set of features I’ve decided to call bindings. They represent join-points between fibratus and other tools that can add additional insights to the data captured from kernel. The first of them is the integration with the Yara tool. The rule matching phase is triggered when process creation kernel event is detected. The image path of the created process is evaluated against the available rule set. If a match occurs, the
CreateProcess event is enriched with rule context information (the matching rule, rule meta information, data strings etc). Here is the example of the produced JSON payload:
To enable the YARA binding , you need to edit
fibratus.yml configuration descriptor. Under the
yara binding section, the
path key has to point to a valid path with a directory containing rule definitions. I’m not sure if this is a bug or limitation of the yara cython extension, but if the root directory is traversed recursively with multiple directories containing the
yar files, the matching might not work as expected.
I have to be honest about the drawbacks of installing fibratus from PyPI. The kernel stream collector needs to be compiled and in order to do it the C compiler has to be present on the local machine. Obviously, the python interpreter and the
cython package are also the required dependencies to install fibratus successfully. Over and above that, the installation of
yara-python package doesn’t go smoothly on Windows, so I ended up compiling
libyara from sources which produces the statically linked library required by
To overcome all those after-mentioned tedious tasks, from this release on, I’ll be shipping the windows installer which embeds python interpreter, cython extensions and any extra dependency in a single binary, so installing fibratus becomes a matter of few clicks. Feel free to download the latest version here.
If you have any feedback or would like to contribute you can reach out via Github or drop me an email.
Enjoy this new release!