我将一些 yara 规则从repo克隆到我的/home/student/Downloads/yara-forensics/file目录。下面显示了多个 .yar 文件。我还有一个名为的虚假恶意软件文件sample.file位于/home/student/Downloads. 我想遍历每个 .yar 文件并只返回匹配的 .yar 文件sample.file。
student@desktop:~/Downloads/yara-forensics/file$ ls -l
total 96
-rw-rw-r-- 1 student student 1138 Dec 8 21:18 apple.yar
-rw-rw-r-- 1 student student 6494 Dec 8 21:18 audio.yar
-rw-rw-r-- 1 student student 846 Dec 8 21:18 compressed.yar
-rw-rw-r-- 1 student student 903 Dec 8 21:18 crypto.yar
-rw-rw-r-- 1 student student 178 Dec 8 21:18 dex.yar
-rw-rw-r-- 1 student student 563 Dec 8 21:18 executables.yar
-rw-rw-r-- 1 student student 596 Dec 8 21:18 gif.yar
-rw-rw-r-- 1 student student 344 Dec 8 21:18 gps.yar
-rw-rw-r-- 1 student student 1183 Dec 8 21:18 jpeg.yar
-rw-rw-r-- 1 student student 580 Dec 8 21:18 mem_dumps.yar
-rw-rw-r-- 1 student student 1096 Dec 8 21:18 office.yar
-rw-rw-r-- 1 student student 458 Dec 8 21:18 pdf.yar
-rw-rw-r-- 1 student student 780 Dec 8 21:18 png.yar
-rw-rw-r-- 1 student student 315 Dec 8 21:18 skype.yar
-rw-rw-r-- 1 student student 689 Dec 8 21:18 sqlite.yar
-rw-rw-r-- 1 student student 474 Dec 8 21:18 telegram.yar
-rw-rw-r-- 1 student student 332 Dec 8 21:18 vcard.yar
-rw-rw-r-- 1 student student 8878 Dec 8 21:18 vector.yar
-rw-rw-r-- 1 student student 3636 Dec 8 21:18 video.yar
-rw-rw-r-- 1 student student 1036 Dec 8 21:18 vmware.yar
-rw-rw-r-- 1 student student 491 Dec 8 21:18 win_reg.yar
下面是我的脚本。
#!/bin/bash
for file in $(find /home/student/Downloads/yara-forensics/file -name '*.yar');
do test $(yara -c ${file} /home/student/Downloads/sample.file) -gt 0 && echo $file;
done 2>/dev/null
问题是它只返回一个结果,如下所示。它至少应该返回 6 个结果 ( compressed, executables, crypto, office, vector, and vmware)。我的脚本有什么问题?
student@desktop:/dev$ bash yarbash
/home/student/Downloads/yara-forensics/file/executables.yar