Scout Sniper (scoutsniper) is a wrapper program for the Yara malware identification and classification tool and the Fuzzy Hashing program ssdeep. scoutsniper is designed to run all of the files in a designated directory against a designated Yara Rule file or ssdeep’s Fuzzy dynamic linked library (fuzzy.dll). Files that trigger a Yara rule or have a fuzzy hash comparison score of greater than fifty generate an alert. Additional functionality includes copying and deleting the files that generate alerts. Scout Sniper and be run locally on a system against remote systems depending on system and network configurations. Remote systems DO NOT require Python, Yara, or ssdeep to function properly.
Download Scout Sniper: scoutsniper.zip md5sum e79e861a0071a9d8f70bd948713d83fa
Original version: Download Yara – Scout Sniper: yara-ss.zip md5sum e8cb4bb98706d69761a7ab8fffd399b9
Systems: scoutsniper has been successfully tested on the following platforms:
- Windows XP SP3
scoutsniper is run via a command line interface on a Microsoft Windows platform. For those systems with Python 2.5, pywin32, yara-python-1.2,and fuzzy.dll installed, scoutsniper can be run using the python script. For those systems without these requirements the Windows executable file scoutsniper.exe has created using Py2Exe.
Information about how to create and maintain Yara Rule files can be found at the yara-project site. More specifically, the Yara User’s Manual goes into great detail as to how rules are developed.
Information pertaining to Fuzzy Hashing can be obtained from the ssdeep project site.
The following help information describes the command line options that are available to both the scoutsniper python script and the executable.
Scout Sniper Help
C:\Development\scoutsniper\scoutsniper>scoutsniper.exe -h
Scout Sniper release: scoutsniper/0.2
Author: Don C. Weberusage: ./scoutsniper.py [-h|--help] [-V|--version] [-y| -Y yara rule file] [-s sample file]
[-S int] [-r remote_host(s)] [-u username] [-p passwd]
[-c storage_directory] [-k] [-m] [-R] -d <search_directory>-h | –help: Print this help.
-V | –version: Version information.
-y: Perform Yara Scan. Using default rule location ‘.\yara_rules\yara_rules.yr’.
-Y: Perform Yara Scan. Using the Yara Rule File location provided.
-s: Perform ssdeep Scan. Input is the path to a sample file to use.
ssDeep functionality requires the Fuzzy Dll file from the ssDeep Windows
binary. The Dll file can be obtained from http://ssdeep.sourceforge.net/.
The fuzzy.dll file should be located in the same directory as this script
or executable.
-S: The lowest score to use when alerting on like files. An integer between 1 – 100
-d: The directory to search. This option is required.
-r: The remote host(s) to search. Can be a single IP Address/Hostname or
multiple IP Addresses/Hostnames in a comma separated list with no spaces.
-u: Username for the account to access remote systems.
Active Directory environments may have to provide ‘domain\acct’ but
this has not been tested.
-p: Password for the account to access remote systems.
This information may end up in command line history files and
be passed in clear text depending on system configurations.
-c: Copy files that generate alerts. It requires a storage location.
-k: Delete files that generate alerts.
-m: Search memory.
This option is in development and not enabled.
-R: Search all sub-directories.
-W: Skip warning message. Using this options demonstrates that the user
accepts the program warning and that using the delete functionality
damage the system, programs, and applications.
Running Scout Sniper Python Script with ssDeep Option
C:\Development\scoutsniper\scoutsniper>scoutsniper.py -s “C:\Development\vfiles\armadillo\1db5476c766555c9995b25d19f97b9bc.bin” -d “C:\Development\vfiles” -R
sdir: C:\Development\vfiles
There is no warrenty for this program. User at your own risk and only with permission.
If you use the deletion option you may damage your system, programs or applications.
Enter YES to indicate you have read and understand this warning and with to proceed.
-> YES
Scout Sniper: Happy Hunting
Start Time: 2009-02-16.22:06:40.937000Searching Local: C:\Development\vfiles
Checking: C:\Development\vfiles\armadillo\04bd809f1cf95eef8b7afd301dea9cd3.bin
Sample File Hash: ’1536:4dlWJX+NT6wCg8JShVJs2t/D35mDVg7P5j3eOUWOjgxNWQTTprOh/eJwKeUodu5:dX/oK27guP57exW3DTpvEUod’
Alert: 04bd809f1cf95eef8b7afd301dea9cd3.bin scored 99
Checking: C:\Development\vfiles\armadillo\1db5476c766555c9995b25d19f97b9bc.bin
Alert: 1db5476c766555c9995b25d19f97b9bc.bin scored 100
Checking: C:\Development\vfiles\armadillo\28df8101c0faf75f1857b4618e48126c.bin
Alert: 28df8101c0faf75f1857b4618e48126c.bin scored 96
Checking: C:\Development\vfiles\armadillo\6eb5925ba90e2bfac282e24ad1738ae5.bin
Alert: 6eb5925ba90e2bfac282e24ad1738ae5.bin scored 75
Checking: C:\Development\vfiles\armadillo\8byte-random.dll
Checking: C:\Development\vfiles\armadillo\917c085aca2534af20a547ff1104af43.bin
Checking: C:\Development\vfiles\armadillo\c970dea460bc5f9048c287c1fa0709fa.bin
Alert: c970dea460bc5f9048c287c1fa0709fa.bin scored 96
Checking: C:\Development\vfiles\armadillo\jwgkvsq.vmx
Checking: C:\Development\vfiles\none\00000008.dll
.
[snip]
.
Checking: C:\Development\vfiles\none\8ce32ded1724873c15ca2f922739d8e6.bin
Checking: C:\Development\vfiles\none\916fd6183443d8ac69d478a47633343b.bin
Alert: 916fd6183443d8ac69d478a47633343b.bin scored 99
Checking: C:\Development\vfiles\none\9af53ea044f0dce268a02a8e3c9d9aee.bin
Checking: C:\Development\vfiles\none\9c4ad5fe1345f705659be8fc11777bd1.bin
Checking: C:\Development\vfiles\none\9d45897aff47350e2a0920efb24af85c.bin
.
[snip]
.
Finish Time: 2009-02-16.22:06:41.656000
Scout Sniper Done
Running Scout Sniper EXE on a Remote System with ssDeep Option
C:\s\Development\scoutsniper\scoutsniper>scoutsniper.exe -u “remuser” -p “userpassword” -r 192.168.1.2 -s “C:\Development\vfiles\armadillo\1db5476c766555c9995b25d19f97b9bc.bin” -d “C:\Development\vfiles2″ -R sdir: C:\Development\vfiles2
There is no warrenty for this program. User at your own risk and only with permission.
If you use the deletion option you may damage your system, programs or applications.
Enter YES to indicate you have read and understand this warning and with to proceed.
-> YES
Scout Sniper: Happy Hunting
Start Time: 2009-02-16.22:29:20.453000Searching Remote: C:\Development\vfiles2 on 1 remote systems.
Remote Host: 192.168.1.2
Checking: \\192.168.1.2\C$\Development\vfiles2\armadillo\28df8101c0faf75f1857b4618e48126c.bin
Sample File Hash: ’1536:4dlWJX+NT6wCg8JShVJs2t/D35mDVg7P5j3eOUWOjgxNWQTTprOh/eJwKeUodu5:dX/oK27guP57exW3DTpvEUod’
Alert: 28df8101c0faf75f1857b4618e48126c.bin scored 96
Checking: \\192.168.1.2\C$\Development\vfiles2\armadillo\am1.bin
Alert: am1.bin scored 99
Checking: \\192.168.1.2\C$\Development\vfiles2\armadillo\am2.bin
Alert: am2.bin scored 100
Checking: \\192.168.1.2\C$\Development\vfiles2\armadillo\am3.bin
Alert: am3.bin scored 75
Checking: \\192.168.1.2\C$\Development\vfiles2\armadillo\am4.bin
Checking: \\192.168.1.2\C$\Development\vfiles2\armadillo\am5.bin
Alert: am5.bin scored 96
Checking: \\192.168.1.2\C$\Development\vfiles2\armadillo\am6.bin
Checking: \\192.168.1.2\C$\Development\vfiles2\none\nn0.bin
Checking: \\192.168.1.2\C$\Development\vfiles2\none\nn1.bin
.
[snip]
.
Checking: \\192.168.1.2\C$\Development\vfiles2\none\nn7.bin
Checking: \\192.168.1.2\C$\Development\vfiles2\none\nn70.bin
Alert: nn70.bin scored 99
Checking: \\192.168.1.2\C$\Development\vfiles2\none\nn71.bin
Checking: \\192.168.1.2\C$\Development\vfiles2\none\nn72.bin
.
[snip]
.
Finish Time: 2009-02-16.22:29:23.906000
Scout Sniper Done
Resources: