mquery v1.4 releases: YARA malware query accelerator

mquery: Yara malware queries accelerator

Ever had trouble searching for particular malware samples? Our project is an analyst-friendly web GUI to look through your digital warehouse.

mquery can be used to search through terabytes of malware in a blink of an eye:

How does it work?

YARA is pretty fast, but searching through the large datasets for a given signature can take a lot of time. To countermeasure this, we have implemented a custom database called UrsaDB. It is able to pre-filter the results, so it is only necessary to run YARA against a small fraction of binaries:

Changelog v1.4

Breaking changes

[Breaking change] mquery now users typedconfig library instead of the previous config.py file.

• if you deployed mquery using docker (configurable by environment variables)
  then no action is required and this is backwards-compatible for you
• if you deployed mquery natively using the default configuration, no action is required
• finally, if you deploy mquery natively and changed the default config.py, you will have to create a mquery.ini
  file with your config. The format is very simple. Example of a complete config file (there are only 4 possible
  configuration keys supported currently. All are optional):

  [redis]
  
  host=localhost
  
  port=6379
  
  
  
  [mquery]
  
  backend=tcp://localhost:9281
  
  plugins=

New features

• It’s now possible to limit the number of yara-scanned files (#339)
• It’s now possible to disallow running slow queries (#315, #312)
• Added a configurable /about page, to describe your instance (#341)
• Daemon now has a –scale flag, to automatically fork into mutliple processes (#298)
• More flexible user roles (#350, #314)

Documentation

• Mquery component documentation (#334)
• Yara support documentation (#333)
• S3 support documentation (#327)

UI Improvements

• Progress bar now shows more information (#345)
• Counter race condition fixed (#348)
• Bootstrap update and following fixes (#346,

Improvements

• A big backend improvement – jobs are now scheduled with a rq framework (#317)
• Exceptions thrown during filtering with plugins are now handled correctly (#317)
• Login is now faster – there are no unnecessary redirects (#322)

Bugfixes

• /about route fixed (#343)
• Indexing script won’t skip the last few files anymore (#328)
• Actually raise errors from the API (#311)
• Fix multi-agent job completion (#282)

Others

• Dockerignore and Gitignore updated (#344)
• Some obsolete features removed from the codebase (#330, #313, #306)

Installation

Docker

git clone --recurse-submodules https://github.com/CERT-Polska/mquery.git cd mquery # change `./samples` in `./samples:/mnt/samples` to the path where you keep # your malware samples. You can also keep it as it is, and copy malware samples # to ./samples directory before indexing. vim docker-compose.yml docker-compose up --scale daemon=3 # building the images will take a while

The web interface should be available at http://localhost.

Manual

Copyright (C) 2018 NASK PIB

Source: https://github.com/CERT-Polska/