A Python package and command line utility for scanning emails with YARA rules
Project description
yaramail
is a Python package and command line utility for scanning emails with
YARA rules. It is Ideal for automated triage of phishing reports.
Features
yaramail
scans all parts of an email via API or CLI
- Headers
- Removes header indents by default for consistent scanning
- Plain text and HTML body content
- Converts body content to Markdown by default for consistent scanning
- Attachments
- Raw file content
- Emails attached to emails
- PDF document text
- ZIP file contents, including nested ZIP files
- Customizable list of passwords to use when attempting to scan encrypted ZIP files
CLI
usage: A YARA scanner for emails [-h] [-V] [-v] [--output OUTPUT]
[--rules RULES] [--header-rules HEADER_RULES]
[--body-rules BODY_RULES]
[--header-body-rules HEADER_BODY_RULES]
[--attachment-rules ATTACHMENT_RULES]
[--trusted-domains TRUSTED_DOMAINS]
scan_path
positional arguments:
scan_path The file(s) to scan (wildcards allowed)
options:
-h, --help show this help message and exit
-V, --version show program's version number and exit
-v, --verbose Output the entire parsed email (default: False)
--output OUTPUT, -o OUTPUT
Redirect output to a file (default: None)
--rules RULES A path to a directory that contains YARA rules. Can be
set by the YARA_RULES_DIR environment variable.
(default: .)
--header-rules HEADER_RULES
Filename of the header rules file. Can be set by the
YARA_HEADER_RULES environment variable. (default:
header.yar)
--body-rules BODY_RULES
Filename of the body rules file. Can be set by the
YARAMAIL_BODY_RULES environment variable. (default:
body.yar)
--header-body-rules HEADER_BODY_RULES
Filename of the header_body rules file. Can be set by
the YARAMAIL_HEADER_BODY_RULES environment variable.
(default: header_body.yar)
--attachment-rules ATTACHMENT_RULES
Filename of the body rules file. Can be set by the
YARAMAIL_BODY_RULES environment variable. (default:
attachment.yar)
--trusted-domains TRUSTED_DOMAINS
A path to a file containing a list of trusted domains.
Can be set by the YARAMAIL_TRUSTED_DOMAINS environment
variable. (default: trusted_domains.txt)
Installation
It is not recommended to use `yaramail` in the same OS that is targeted by
the potential malware you are scanning. Consider using `yaramail` inside of a
container or VM for additional security.
System dependencies
Some system dependencies must be installed before installing yaramail
.
Debian, Ubuntu, and friends
sudo apt install build-essential libpoppler-cpp-dev pkg-config python3-dev
Fedora, Red Hat, and friends
sudo yum install gcc-c++ pkgconfig poppler-cpp-devel python3-devel
macOS
Install Homebrew, then run the following command in a terminal.
brew install pkg-config poppler python
Windows
- Install the Microsoft Visual Studio Build Tools
- Install Anaconda Distribution
- Use Anaconda Navigator to create a new Anaconda Environment
- Click the play button for the Anaconda Environment
- Click Open Terminal
- Run this command and leave the terminal open:
conda install -c conda-forge poppler
- Configure your Python IDE/project to use the Anaconda Environment
Install yaramail
The official name for this project, package, and module is `yaramail`.
Unfortunately, the Python Package Index (PyPI) [did not allow that name to be
used there][pypi-name-issue], so the PyPI project name for `yaramail` is
`yara-mail`.
In a terminal, run
pip3 install -U yara-mail
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
yara_mail-1.1.1.tar.gz
(12.1 kB
view details)
Built Distribution
yara_mail-1.1.1-py3-none-any.whl
(12.7 kB
view details)
File details
Details for the file yara_mail-1.1.1.tar.gz
.
File metadata
- Download URL: yara_mail-1.1.1.tar.gz
- Upload date:
- Size: 12.1 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: python-httpx/0.23.0
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | d76ce0f7e2bb56c82e390be96961528162fb0bf5be37a49918603ec1485a36c9 |
|
MD5 | d22e535b57da32bbd47570703a38d6da |
|
BLAKE2b-256 | 6671d76b23e071d2d237fc23ede6f532a4336ea84349a2cdc22d61354b0ef953 |
File details
Details for the file yara_mail-1.1.1-py3-none-any.whl
.
File metadata
- Download URL: yara_mail-1.1.1-py3-none-any.whl
- Upload date:
- Size: 12.7 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: python-httpx/0.23.0
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | 8fb21772dbabad190927ef626478708283c9ff509e7f7a52cb04b998a8be135d |
|
MD5 | 3000a07b0feb5a94f31fcf81f89ef48b |
|
BLAKE2b-256 | 0eeb2c69b8007f578ba54b2ec8dee02dde73833c47983a771e4294fb68df983f |