BinaryAlert

BinaryAlert is a serverless, real-time framework for detecting malicious files. BinaryAlert can efficiently analyze millions of files a day with a configurable set of YARA rules and will trigger an alert as soon as anything malicious is discovered! Organizations can deploy BinaryAlert to their AWS account in a matter of minutes, allowing them to analyze internal files and documents within the confines of their own environment.

Features

• Built with Amazon Web Services (AWS): An AWS account is all you need to deploy BinaryAlert.
• Broad YARA support: BinaryAlert includes dozens of YARA rules out-of-the-box and makes it easy to add your own rules or clone them from other repositories.
• Real-Time: Files uploaded to BinaryAlert (S3 bucket) are immediately queued for analysis.
• Serverless: All computation is handled by Lambda functions. No servers to manage means stronger security and automatic scaling!
• Infrastructure-As-Code: The entire infrastructure is described with Terraform configuration files, enabling anyone to deploy BinaryAlert in a matter of minutes with a single command.
• Retroactive Analysis: After updating the YARA ruleset, BinaryAlert can retroactively scan the entire file corpus to find any new matches.
• Production-Ready: BinaryAlert ships with a custom metric dashboard and alarms which automatically trigger on error conditions.
• Low Cost: The AWS bill is based only on how many files you upload and how often they are re-analyzed.

Resources

• GitHub Repo
• Blog Post
• Slack (unofficial)

Table of Contents

• Getting Started
  • Install Dependencies
  • Download BinaryAlert
  • Set AWS Credentials
  • Deploy!
• Creating an IAM Group
• Architecture
  • Analysis Lifecycle
• Adding YARA Rules
  • Included Rules
  • Clone Rules From Other Projects
    • Configuring Rule Sources
  • Write Your Own Rules
  • External Variables
  • Supported Modules
  • Disabling Rules
  • Testing Your Rules
• Deploying
  • Lambda Versions and Aliases
  • Add SNS Subscriptions
  • Terraform State
  • Terraform Commands
  • Teardown
• Analyzing Files
  • Uploading Files
  • Analyzing Existing Buckets
    • Direct Invocation
    • Configuring Event Notifications
  • Retroactive Analysis
    • Stopping a Retro Scan
  • CarbonBlack Downloader
    • Copy All Files
    • Real-Time Invocations
• YARA Matches
  • DynamoDB Records
  • SNS Match Alerts
  • SNS Non-Match Alerts
• Metrics and Monitoring
  • Logging
  • Custom Metrics
  • Metric Alarms
  • Dashboard
• Troubleshooting / FAQ
  • How long does it take a file to be analyzed?
  • What’s the filesize limit?
  • YARA rules with “hash” or “imphash” fail to compile
  • How much does BinaryAlert cost?
  • Does BinaryAlert automatically test YARA rules?
  • Why did my live test fail?
  • How do I setup YARA match / metric alarm alerts?
  • Analyzer timeouts
  • Terraform destroy fails because “bucket is not empty”
  • Contact Us
• Credits
  • People
  • YARA Rules
  • Open-Source Tools
    • Bundled Software