What are these Linux Commands doing?

C

Cyber Forum•7/12/23, 7:13 PM

This post has been indexed in our web forum and will be seen by search engines so other users can find it outside Discord

Your user profile is private by default and won't be visible to users outside Discord, if you want to be visible in the web forum you can add the "Public Profile" role in <id:customize>

You can mark a message as the answer for your post with

Right click -> Apps -> Mark Solution

Right click -> Apps -> Mark Solution

Right click -> Apps -> Mark Solution

Right click -> Apps -> Mark Solution
(if you don't see the option, try refreshing Discord with Ctrl + R)

D

DirtyJ•7/12/23, 7:19 PM

-p

-p

will be one of Loki's arguments:
https://github.com/Neo23x0/Loki

usage: loki.py [-h] [-p path] [-s kilobyte] [-l log-file] [-r remote-loghost]
               [-t remote-syslog-port] [-a alert-level] [-w warning-level]
               [-n notice-level] [--allhds] [--alldrives] [--printall]
               [--allreasons] [--noprocscan] [--nofilescan] [--vulnchecks]
               [--nolevcheck] [--scriptanalysis] [--rootkit] [--noindicator]
               [--dontwait] [--intense] [--csv] [--onlyrelevant] [--nolog]
               [--update] [--debug] [--maxworkingset MAXWORKINGSET]
               [--syslogtcp] [--logfolder log-folder] [--nopesieve]
               [--pesieveshellc] [--nolisten]
               [--excludeprocess EXCLUDEPROCESS] [--force]

usage: loki.py [-h] [-p path] [-s kilobyte] [-l log-file] [-r remote-loghost]
               [-t remote-syslog-port] [-a alert-level] [-w warning-level]
               [-n notice-level] [--allhds] [--alldrives] [--printall]
               [--allreasons] [--noprocscan] [--nofilescan] [--vulnchecks]
               [--nolevcheck] [--scriptanalysis] [--rootkit] [--noindicator]
               [--dontwait] [--intense] [--csv] [--onlyrelevant] [--nolog]
               [--update] [--debug] [--maxworkingset MAXWORKINGSET]
               [--syslogtcp] [--logfolder log-folder] [--nopesieve]
               [--pesieveshellc] [--nolisten]
               [--excludeprocess EXCLUDEPROCESS] [--force]

usage: loki.py [-h] [-p path] [-s kilobyte] [-l log-file] [-r remote-loghost]
               [-t remote-syslog-port] [-a alert-level] [-w warning-level]
               [-n notice-level] [--allhds] [--alldrives] [--printall]
               [--allreasons] [--noprocscan] [--nofilescan] [--vulnchecks]
               [--nolevcheck] [--scriptanalysis] [--rootkit] [--noindicator]
               [--dontwait] [--intense] [--csv] [--onlyrelevant] [--nolog]
               [--update] [--debug] [--maxworkingset MAXWORKINGSET]
               [--syslogtcp] [--logfolder log-folder] [--nopesieve]
               [--pesieveshellc] [--nolisten]
               [--excludeprocess EXCLUDEPROCESS] [--force]

usage: loki.py [-h] [-p path] [-s kilobyte] [-l log-file] [-r remote-loghost]
               [-t remote-syslog-port] [-a alert-level] [-w warning-level]
               [-n notice-level] [--allhds] [--alldrives] [--printall]
               [--allreasons] [--noprocscan] [--nofilescan] [--vulnchecks]
               [--nolevcheck] [--scriptanalysis] [--rootkit] [--noindicator]
               [--dontwait] [--intense] [--csv] [--onlyrelevant] [--nolog]
               [--update] [--debug] [--maxworkingset MAXWORKINGSET]
               [--syslogtcp] [--logfolder log-folder] [--nopesieve]
               [--pesieveshellc] [--nolisten]
               [--excludeprocess EXCLUDEPROCESS] [--force]

indicates the current directory (if you do

ls -al

ls -al

ls -al

ls -al you'll always see

and

..

..

..

.. for current directory and one above):

GitHub

GitHub - Neo23x0/Loki: Loki - Simple IOC and YARA Scanner

Loki - Simple IOC and YARA Scanner. Contribute to Neo23x0/Loki development by creating an account on GitHub.

FFoxsay `python ../../tools/Loki/loki.py -p .`, So what this says is: 1. Go up 2 direc...

D

DirtyJ•7/12/23, 7:22 PM

So basically

-p .

-p .

-p .

-p . in that context tells

loki.py

loki.py

loki.py

loki.py to use the current directory as the path to scan

N

near-sapphireOP•7/12/23, 7:49 PM

Thanks, that helps a lot.
I found a guide. I'm still learning Linux and they touched on a few of the commands, but I don't think the course taught me how to use & string together all the commands you need to get the answers...which would explain why this was weirdly difficult.
https://medium.com/@haircutfish/tryhackme-yara-room-d279ccb5cbb3#:~:text=Based%20on%20the%20output%2C%20what%20string%20within%20the%20Yara%20rule%20did%20it%20match%20on%3F

Medium

TryHackMe Yara Room

Learn the applications and language that is Yara for everything threat intelligence, forensics, and threat hunting!

N

near-sapphireOP•7/12/23, 9:36 PM

Can I ask if, at a glance, you know what 1ndex.php is? Is that the same thing as the directory index, which I think all Linux directories have? If that's correct, I thought Yara calls went

yara **<rulename>**.yar **<filename_being_scanned>**

yara **<rulename>**.yar **<filename_being_scanned>**

yara **<rulename>**.yar **<filename_being_scanned>**

yara **<rulename>**.yar **<filename_being_scanned>**.

yara 1ndex.php file2/file2.yar

yara 1ndex.php file2/file2.yar

yara 1ndex.php file2/file2.yar

yara 1ndex.php file2/file2.yar - call from inside file2 directory.

Do I have the syntax backwards? And if I do, how does yara know where 1index.php is? Maybe it just runs by default in the current folder?

https://medium.com/@haircutfish/tryhackme-yara-room-d279ccb5cbb3#:~:text=Answer%3A%20yara%201ndex.php%20file2/file2.yar

Medium

TryHackMe Yara Room

Learn the applications and language that is Yara for everything threat intelligence, forensics, and threat hunting!

C

Collin B.•7/12/23, 10:01 PM

1ndex.php would be a PHP script of some kind. As far as your understanding of syntax, you are correct

<rulename>**.yar **<filename_being_scanned>**

<rulename>**.yar **<filename_being_scanned>**

<rulename>**.yar **<filename_being_scanned>**

<rulename>**.yar **<filename_being_scanned>** is the format, meaning the command would be

yara file2.yar file2/1ndex.php

yara file2.yar file2/1ndex.php

yara file2.yar file2/1ndex.php

yara file2.yar file2/1ndex.php

For some reason, the answer is swapped to

yara 1ndex.php file2/file2.yar

yara 1ndex.php file2/file2.yar

yara 1ndex.php file2/file2.yar

yara 1ndex.php file2/file2.yar, I am unsure why though.

N

near-sapphireOP•7/13/23, 3:59 PM

Thank you, I spent so long trying to figure that out. It was just wrong

What are these Linux Commands doing?

Similar Threads

Similar Threads

Similar Threads