...a simple, self-contained modular host-based IOC scanner
Spyre is a simple host-based IOC scanner built around the YARA pattern matching engine and other scan modules. The main goal of this project is easy operationalization of YARA rules and other indicators of compromise.
Users need to bring their own rule sets. The awesome-yara repository gives a good overview of free yara rule sets out there.
Spyre is intended to be used as an investigation tool by incident responders. It is not meant to evolve into any kind of endpoint protection service.
Using Spyre is easy:
Add YARA signatures. Per default, YARA rules for file scans are
procscan.yar for file scans, process
memory scans, respectively. The following options exist for
providing rules files to Spyre (and will be tried in this order):
$PROGRAM.zip: If the Spyre binary is called
ZIP file contents may be encrypted using the password
(AV industry standard) to prevent antivirus software from mistaking
parts of the ruleset as malicious content and preventing the scan.
YARA rule files may contain
Deploy, run the scanner
Run-time options can be either passed via command line parameters or
via file that
params.txt. Empty lines and lines starting with the
# character are ignored. Every line is interpreted as a single
command line argument.
If a ZIP file has been appended to the Spyre binary, configuration and other files such as YARA rules are only read from this ZIP file. Otherwise, they are read from the directory into which the binary has been placed.
Some options allow specifying a list of items. This can be done by
separating the items using a semicolon (
Normally (unless this switch is enabled), Spyre instructs the OS scheduler to lower the priorities of CPU time and I/O operations, in order to avoid disruption of normal system operation.
Explicitly set the hostname that will be used in the log file and in the report. This is usually not needed.
Set the log level. Valid: trace, debug, info, notice, warn, error, quiet.
Set one or more report targets, separated by a semicolon (
spyre.log in the current working directory, using the plain
A different output format can be specified by appending
,format=FORMAT. The following formats are currently supported:
plain, the default, a simple human-readable text format
tsjson, a JSON document that can be imported into Timesketch
Set one or more specific filesystem paths to scan. Default:
or all fixed drives (Windows).
Set list of YARA rule files for scanning files on the system. Default:
filescan.yar from appended ZIP file,
$PROGRAM.ZIP, or current
Set list of YARA rule files for scanning processes' memory
regions. Default: Use
procscan.yar from appended ZIP file,
$PROGRAM.ZIP, or current working directory.
Set maximum size for files to be scanned using YARA. Default: 32MB
Set names of processes that will not be scanned.
YARA is configured with default settings, plus the following explicit
Spyre can be built for 32bit and 64bit Linux and Windows targets.
On a Debian/buster system (or a chroot) in which the following packages have been installed:
GOROOThas been set.
This describes the build environment that is exercised regularly via CI.
The same build has also been successfully tried on Fedora 30 with the following packages installed:
Once everything has been installed, just type
make. This should
download archives for musl-libc, openssl, yara, build those and
then build spyre.
The bare spyre binaries are created in
make release creates a ZIP file that contains those binaries
for all supported architectures.
Copyright 2018-2020 DCSO Deutsche Cyber-Sicherheitsorganisation GmbH
Copyright 2020 Spyre Project Authors (see: AUTHORS.txt)
This program is free software: you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
See the LICENSE file for the full license text.