mwdb-core
mwdb-core copied to clipboard
CERT-Polska
YARA Hunting with S3 distributed backend
Feature Category
- [ ] Correctness
- [ ] User Interface / User Experience
- [ ] Performance
- [x] Other (please explain)
Describe the problem
Hi there, I am quite new to the MWDB project, I was wondering if there is a possibility of doing a YARA (retro)hunt with the distributed S3 storage. I have come over a tweet where you have that feature for the mwdb.cert.pl:
https://twitter.com/CERT_Polska_en/status/1270763534067150848
Few question:
- Do you consider releasing this feature to the public?
- Does this work with the S3 distributed storage backend?
- If not, do you have any other suggestion/idea how to perform YARA hunts when using the S3 distributed storage?
Thank you in advance!
[not a CERTPL member] Hey! :) MQuery can work on top of S3 so you can easily set up MQuery and retro hunt on your MWDB S3-hosted files. We do this @ Check Point and it works great
Hi! Currently mquery is integrated with mwdb.cert.pl via plugin that needs to be set up on both sides. We definitely plan to publish it and it's already shared with some people, but I want to improve it a bit before we make it public.
I'll notify you in this thread when we make any progress on that.
[not a CERTPL member] Hey! :) MQuery can work on top of S3 so you can easily set up MQuery and retro hunt on your MWDB S3-hosted files. We do this @ Check Point and it works great
How is the performance and how many samples do you check?
Hi! Currently mquery is integrated with mwdb.cert.pl via plugin that needs to be set up on both sides. We definitely plan to publish it and it's already shared with some people, but I want to improve it a bit before we make it public.
I'll notify you in this thread when we make any progress on that.
Hello!! are there any updates on the plugins? I tried searching but couldn't find it. :)
