Skip to main content

A Python package and command line utility for scanning emails with YARA rules

Project description

yaramail logo

yaramail

PyPI PyPI - Downloads

yaramail is a Python package and command line utility for scanning emails with YARA rules. It is Ideal for automated triage of phishing reports.

Features

yaramail scans all parts of an email via API or CLI

  • Headers
    • Removes header indents by default for consistent scanning
  • Plain text and HTML body content
    • Converts body content to Markdown by default for consistent scanning
  • Attachments
    • Raw file content
    • Emails attached to emails
    • PDF document text
    • ZIP file contents, including nested ZIP files
      • Customizable list of passwords to use when attempting to scan encrypted ZIP files

CLI

usage: A YARA scanner for emails [-h] [-V] [-v] [--output OUTPUT]
                                 [--rules RULES] [--header-rules HEADER_RULES]
                                 [--body-rules BODY_RULES]
                                 [--header-body-rules HEADER_BODY_RULES]
                                 [--attachment-rules ATTACHMENT_RULES]
                                 [--trusted-domains TRUSTED_DOMAINS]
                                 scan_path

positional arguments:
  scan_path             The file(s) to scan (wildcards allowed)

options:
  -h, --help            show this help message and exit
  -V, --version         show program's version number and exit
  -v, --verbose         Output the entire parsed email (default: False)
  --output OUTPUT, -o OUTPUT
                        Redirect output to a file (default: None)
  --rules RULES         A path to a directory that contains YARA rules. Can be
                        set by the YARA_RULES_DIR environment variable.
                        (default: .)
  --header-rules HEADER_RULES
                        Filename of the header rules file. Can be set by the
                        YARA_HEADER_RULES environment variable. (default:
                        header.yar)
  --body-rules BODY_RULES
                        Filename of the body rules file. Can be set by the
                        YARAMAIL_BODY_RULES environment variable. (default:
                        body.yar)
  --header-body-rules HEADER_BODY_RULES
                        Filename of the header_body rules file. Can be set by
                        the YARAMAIL_HEADER_BODY_RULES environment variable.
                        (default: header_body.yar)
  --attachment-rules ATTACHMENT_RULES
                        Filename of the body rules file. Can be set by the
                        YARAMAIL_BODY_RULES environment variable. (default:
                        attachment.yar)
  --trusted-domains TRUSTED_DOMAINS
                        A path to a file containing a list of trusted domains.
                        Can be set by the YARAMAIL_TRUSTED_DOMAINS environment
                        variable. (default: trusted_domains.txt)

Installation

It is not recommended to use `yaramail` in the same OS that is targeted by 
the potential malware you are scanning. Consider using `yaramail` inside of a
container or VM for additional security.

System dependencies

Some system dependencies must be installed before installing yaramail.

Debian, Ubuntu, and friends

sudo apt install build-essential libpoppler-cpp-dev pkg-config python3-dev

Fedora, Red Hat, and friends

sudo yum install gcc-c++ pkgconfig poppler-cpp-devel python3-devel

macOS

Install Homebrew, then run the following command in a terminal.

brew install pkg-config poppler python

Windows

  1. Install the Microsoft Visual Studio Build Tools
  2. Install Anaconda Distribution
  3. Use Anaconda Navigator to create a new Anaconda Environment
  4. Click the play button for the Anaconda Environment
  5. Click Open Terminal
  6. Run this command and leave the terminal open:
    conda install -c conda-forge poppler
    
  7. Configure your Python IDE/project to use the Anaconda Environment

Install yaramail

The official name for this project, package, and module is `yaramail`. 
Unfortunately, the Python Package Index (PyPI) [did not allow that name to be
used there][pypi-name-issue], so the PyPI project name for `yaramail` is 
`yara-mail`.

In a terminal, run

pip3 install -U yara-mail

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

yara_mail-1.1.1.tar.gz (12.1 kB view details)

Uploaded Source

Built Distribution

yara_mail-1.1.1-py3-none-any.whl (12.7 kB view details)

Uploaded Python 3

File details

Details for the file yara_mail-1.1.1.tar.gz.

File metadata

  • Download URL: yara_mail-1.1.1.tar.gz
  • Upload date:
  • Size: 12.1 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: python-httpx/0.23.0

File hashes

Hashes for yara_mail-1.1.1.tar.gz
Algorithm Hash digest
SHA256 d76ce0f7e2bb56c82e390be96961528162fb0bf5be37a49918603ec1485a36c9
MD5 d22e535b57da32bbd47570703a38d6da
BLAKE2b-256 6671d76b23e071d2d237fc23ede6f532a4336ea84349a2cdc22d61354b0ef953

See more details on using hashes here.

File details

Details for the file yara_mail-1.1.1-py3-none-any.whl.

File metadata

  • Download URL: yara_mail-1.1.1-py3-none-any.whl
  • Upload date:
  • Size: 12.7 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: python-httpx/0.23.0

File hashes

Hashes for yara_mail-1.1.1-py3-none-any.whl
Algorithm Hash digest
SHA256 8fb21772dbabad190927ef626478708283c9ff509e7f7a52cb04b998a8be135d
MD5 3000a07b0feb5a94f31fcf81f89ef48b
BLAKE2b-256 0eeb2c69b8007f578ba54b2ec8dee02dde73833c47983a771e4294fb68df983f

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page