v.1.2.0 of BinaryAlert is here! This version simplifies and hardens the BinaryAlert architecture, adds support for scanning UPX-packed binaries and PDFs, and adds more configuration options to customize your deployment.
Change Summary
- Adds support for scanning UPX packing and PDFs
./manage.py live_test
now includes examples of both
- YARA rule source configuration is now much more expressive
- YARA match results reported to SNS now include the substring in the data that triggered the match
- Replace dispatcher Lambda function with SQS => Lambda event source mappings
- Improved retroactive analysis:
- Replace batcher Lambda function with S3 inventory
- Replace the
./manage.py analyze_all
command withretro_fast
(to read the latest inventory) andretro_slow
(to enumerate the bucket directly) - An ongoing retroactive analysis can be stopped with
./manage.py purge_queue
- Dynamo, S3, and SQS resources are all server-side encrypted
- Improved support and documentation for using BinaryAlert to scan your existing S3 buckets.
- New advanced configuration options (
terraform/terraform.tfvars
):- You can add external S3 and KMS resources to the config file to grant permissions
- The "BinaryAlert" cost tag added to all applicable AWS resources is now configurable
- You can configure a second SNS topic to alert when a file does not match any YARA rules (thanks @goochi1!)
- You can configure the retention for each SQS queue and set concurrency limits for the Lambda functions that poll them
- Upgraded requirements and dependencies
- cbapi v1.3.4 => v1.3.6
- terraform/aws-provider v1.5 => v1.30
- yara-python v3.7.0 => 3.8.0
For the complete list of changes and issues closed, see the associated milestone.
Upgrading From v1.1.0
- The rule sources and Terraform variable files have changed their formats somewhat. We recommend cloning the new version of BinaryAlert and then manually copying over your existing config.
- 2 of the Lambda functions will be destroyed (dispatcher and batcher) - that's by design!
- WARNING: In order to encrypt the Dynamo table, it must be destroyed and re-created.
- If you want the history of YARA matches from the table, export them before upgrading.
- Alternatively, remove the
server_side_encryption
directive interraform/dynamo.tf
to keep the table the way it is. - Once the table is recreated, BinaryAlert will have no history of YARA matches, meaning it will think every YARA match is brand new. Your first retro scan will alert on every matching file.