dionysos

Scanner for various IoCs

Installation

shell cargo install dionysos

Usage

``` dionysos 0.1.0

Scanner for various IoCs

USAGE: dionysos [OPTIONS]

OPTIONS: -F, --filename regular expression to match against the basename of files. This parameter can be specified multiple times -h, --help Print help information -P, --path path to registry hive file -v level of verbosity (specify multiple times to increase verbosity -V, --version Print version information -Y, --yara use yara scanner with the specified ruleset. This can be a single file, a zip file or a directory containing lots of yara files. Yara files must end with 'yar' or 'yara', and zip files must end with 'zip' ```

Developer guide

How to add scanners

1. Declare scanner result type

You should enhance the class ScannerFinding in src/scanner_result.rs.

2. Implementation of the scanner

Take, for example, the FilenameScanner, which tries to do a simple filename match:

```rust use crate::consumer::; use crate::scanner_result::{ScannerResult, ScannerFinding}; use provider_derive::; use consumer_derive::*; use std::sync::Arc;

[hasconsumerslist]

[hasthreadhandle]

[derive(FileProvider)]

[derive(FileConsumer)]

[derive(Default)]

pub struct FilenameScanner { #[consumer_data] patterns: Arc>,

unsealed_patterns: Vec<regex::Regex>,

}

impl FilenameScanner { pub fn seal(&mut self) { self.patterns = Arc::new(std::mem::take(&mut self.unsealed_patterns)); }

pub fn add_patterns(&mut self, mut patterns: Vec<regex::Regex>) {
    self.unsealed_patterns.append(&mut patterns);
}

}

impl FileHandler> for FilenameScanner { fn handlefile(result: &ScannerResult, patterns: Arc>) { for p in patterns.iter() { if p.ismatch(result.filename()) { result.addfinding(ScannerFinding::Filename(p.tostring())); } } } }

```

3. Add your scanner to the scanner chain

Which is currently hard-coded in Dionysos::run() (in src/dionysos.rs)

Feature ideas