This post was inspired while I was playing around with the new SIFT workstation, and I needed to get my tools and scripts on the VM. A couple of team members saw what I was doing, and did not know this was possible so I figured I would write up a quick post on how to convert your Clam AV database to a set of Yara rules that you can use during your investigations.
You can get the Python script here
# for Clam AV # should be installed, but this is to verify sudo apt-get install clamav clamav-freshclam sudo freshclam # for Yara sudo apt-get install libpcre3 libpcre3-dev sudo apt-get install yara sigtool –u /var/lib/clamav/main.cvd python clamav_to_yara.py -f main.ndb -o clamav.yara
There is one rule I had to manually clean up though…….
vim +199819 clamav.yara
Once that is done, you can use this file anywhere you would use your yara rule.