dionysos

Scanner for various IoCs

Installation

shell sudo apt install libyara-dev cargo install dionysos

Usage

``` dionysos 0.2.1 Jan Starke Jan.Starke@t-systems.com Scanner for various IoCs

USAGE: dionysos [OPTIONS]

OPTIONS: -C, --scan-compressed allow yara to scan compressed files -F, --filename regular expression to match against the basename of files. This parameter can be specified multiple times -h, --help Print help information --omit-levenshtein do not run the Levenshtein scanner -P, --path path which must be scanned -q, --quiet Less output per occurrence -v, --verbose More output per occurrence -V, --version Print version information -Y, --yara use yara scanner with the specified ruleset. This can be a single file, a zip file or a directory containing lots of yara files. Yara files must end with 'yar' or 'yara', and zip files must end with 'zip' ```

Developer guide

How to add scanners

1. Declare scanner result type

You should enhance the class ScannerFinding in src/scanner_result.rs.

2. Implementation of the scanner

Take, for example, the FilenameScanner, which tries to do a simple filename match:

```rust use crate::filescanner::*; use crate::scanner_result::{ScannerFinding}; use std::path::Path;

pub struct FilenameScanner { patterns: Vec, }

impl FilenameScanner { pub fn new(patterns: Vec) -> Self { Self {
patterns, } } }

impl FileScanner for FilenameScanner { fn scanfile(&self, file: &Path) -> Vec> { let filename = file.tostr().unwrap(); self.patterns .iter() .filter(|p|p.ismatch(&filename)) .map(|r|Ok(ScannerFinding::Filename(r.tostring()))) .collect() } } ```

3. Add your scanner to the scanner chain

Which is currently hard-coded in Dionysos::run() (in src/dionysos.rs)

Feature ideas