I just updated the Scout Sniper page with a new release of the tool. Actually, this tool was originally called Yara-Scout Sniper but I changed the name because of the new functionality that was added.
Scout Sniper now uses two different methods to detect suspicious files on a local or remote system(s). The original functionality using the Yara Rules to locate malware files is still present. Because of difficulties I ran into generating Yara Rule files to alert on Conficker/Downadup, I decided to try other methods to detect similar files. I initially started looking into generating hashes for the PE file headers and sections but after some testing and recommendations from a few friends I fell back to using fuzzy hashing. The new feature using Fuzzy Hashing functionality from the ssdeep project determines if any files are similar to a sample file provided by the user.
The tool has also been updated to provide copying and deletion capabilities. Hense the Scout Sniper title. Users can now copy or delete files that generate alerts. Of course the delete functionality should be used with caution.
As usual, please provide me with any feedback, recommendations, or requests. I would also be very happy to know how Scout Sniper is being used and any success or failure stories.
Go forth and do good things,
Don C. Weber
Help support my training and travel to security conferences. Get your SANS Training and GIAC Certifications through the Security Ripcord.
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported.