Question 1

How to bundle YARA rules with the Spyre binary?

Accepted Answer

You can append a ZIP file containing your YARA rules to the binary, use a same-named ZIP file, or place rules in the same directory. Encryption with password 'infected' is supported to avoid antivirus detection, as detailed in the README.

Question 2

Spyre vs Thor for IOC scanning?

Accepted Answer

Spyre is more lightweight and self-contained, ideal for quick deployments with custom rules, while Thor (by Nextron Systems) offers pre-configured checks and might be better for out-of-the-box comprehensive scans. Spyre requires users to bring their own YARA rules.

Question 3

Can Spyre be used for continuous monitoring?

Accepted Answer

No, Spyre is designed as a point-in-time investigation tool for incident responders. It lacks features for real-time, continuous endpoint protection or monitoring, as emphasized in its philosophy.

Question 4

How to output Spyre results in JSON format?

Accepted Answer

Configure the report target in spyre.yaml or via command line with '--report' specifying 'tsjson' format, which produces JSON compatible with Timesketch for forensic timeline analysis, as mentioned in the configuration section.

Question 5

What operating systems does Spyre run on?

Accepted Answer

Spyre builds and runs on 32-bit and 64-bit Linux and Windows. Building for MacOSX requires native tools and has no cross-compile support, as noted in the README, limiting its ease of use on Apple platforms.

Question 6

How does Spyre handle large files during scans?

Accepted Answer

Spyre has a configurable 'max-file-size' option (default 32MB) to limit scanning of large files with expensive modules like YARA, preventing performance issues and system disruption during investigations.

Spyre

What is Spyre?

Overview

Use Cases

Best For

Related Projects

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions