Fox'Say!
Fox'Say!17mo ago

What are these Linux Commands doing?

python ../../tools/Loki/loki.py -p ., So what this says is: 1. Go up 2 directories 2. Navigate from that location to tools > then to Loki 3. Open loki.py Also: What exactly does -p and . mean? I was trying the man python command, but it said "no manual entry for Python." (I'm probably going to look for a Linux command cheat sheet later.) Original Message question/reply from @DirtyJ (thanks): https://discord.com/channels/543652415870730240/580312632171692032/1128474626872316025
No description
7 Replies
Cyber Forum
Cyber Forum17mo ago
Post created!
🔎 This post has been indexed in our web forum and will be seen by search engines so other users can find it outside Discord 🕵️ Your user profile is private by default and won't be visible to users outside Discord, if you want to be visible in the web forum you can add the "Public Profile" role in <id:customize> ✅ You can mark a message as the answer for your post with Right click -> Apps -> Mark Solution (if you don't see the option, try refreshing Discord with Ctrl + R)
From An unknown user
DirtyJ
DirtyJ17mo ago
-p will be one of Loki's arguments: https://github.com/Neo23x0/Loki 
usage: loki.py [-h] [-p path] [-s kilobyte] [-l log-file] [-r remote-loghost]
               [-t remote-syslog-port] [-a alert-level] [-w warning-level]
               [-n notice-level] [--allhds] [--alldrives] [--printall]
               [--allreasons] [--noprocscan] [--nofilescan] [--vulnchecks]
               [--nolevcheck] [--scriptanalysis] [--rootkit] [--noindicator]
               [--dontwait] [--intense] [--csv] [--onlyrelevant] [--nolog]
               [--update] [--debug] [--maxworkingset MAXWORKINGSET]
               [--syslogtcp] [--logfolder log-folder] [--nopesieve]
               [--pesieveshellc] [--nolisten]
               [--excludeprocess EXCLUDEPROCESS] [--force]
usage: loki.py [-h] [-p path] [-s kilobyte] [-l log-file] [-r remote-loghost]
               [-t remote-syslog-port] [-a alert-level] [-w warning-level]
               [-n notice-level] [--allhds] [--alldrives] [--printall]
               [--allreasons] [--noprocscan] [--nofilescan] [--vulnchecks]
               [--nolevcheck] [--scriptanalysis] [--rootkit] [--noindicator]
               [--dontwait] [--intense] [--csv] [--onlyrelevant] [--nolog]
               [--update] [--debug] [--maxworkingset MAXWORKINGSET]
               [--syslogtcp] [--logfolder log-folder] [--nopesieve]
               [--pesieveshellc] [--nolisten]
               [--excludeprocess EXCLUDEPROCESS] [--force]
. indicates the current directory (if you do ls -al you'll always see . and .. for current directory and one above):
GitHub
GitHub - Neo23x0/Loki: Loki - Simple IOC and YARA Scanner
Loki - Simple IOC and YARA Scanner. Contribute to Neo23x0/Loki development by creating an account on GitHub.
No description
DirtyJ
DirtyJ17mo ago
So basically -p . in that context tells loki.py to use the current directory as the path to scan
Fox'Say!
Fox'Say!OP17mo ago
Thanks, that helps a lot. I found a guide. I'm still learning Linux and they touched on a few of the commands, but I don't think the course taught me how to use & string together all the commands you need to get the answers...which would explain why this was weirdly difficult. https://medium.com/@haircutfish/tryhackme-yara-room-d279ccb5cbb3#:~:text=Based%20on%20the%20output%2C%20what%20string%20within%20the%20Yara%20rule%20did%20it%20match%20on%3F
Medium
TryHackMe Yara Room
Learn the applications and language that is Yara for everything threat intelligence, forensics, and threat hunting!
Fox'Say!
Fox'Say!OP17mo ago
Can I ask if, at a glance, you know what 1ndex.php is? Is that the same thing as the directory index, which I think all Linux directories have? If that's correct, I thought Yara calls went yara **<rulename>**.yar **<filename_being_scanned>**. yara 1ndex.php file2/file2.yar - call from inside file2 directory. Do I have the syntax backwards? And if I do, how does yara know where 1index.php is? Maybe it just runs by default in the current folder? https://medium.com/@haircutfish/tryhackme-yara-room-d279ccb5cbb3#:~:text=Answer%3A%20yara%201ndex.php%20file2/file2.yar
Medium
TryHackMe Yara Room
Learn the applications and language that is Yara for everything threat intelligence, forensics, and threat hunting!
Wagon
Wagon17mo ago
1ndex.php would be a PHP script of some kind. As far as your understanding of syntax, you are correct <rulename>**.yar **<filename_being_scanned>** is the format, meaning the command would be yara file2.yar file2/1ndex.php For some reason, the answer is swapped to yara 1ndex.php file2/file2.yar, I am unsure why though.
Fox'Say!
Fox'Say!OP17mo ago
Thank you, I spent so long trying to figure that out. It was just wrong 🙄