Release build
cargo build --release
You can also strip symbols from binary to reduce the size to approx. one half (make sure the GCC/MinGW's bin folder is in Path)
strip target/release/ioc-checker-probe.exe
This may greatly reduce size of the binary executable at the cost of compilation times.
The steps below are taken from source, but I was unable to reproduce them yet.
Install Xargo and nightly compiler
$ rustup toolchain install nightly
$ rustup default nightly
$ rustup component add rust-src
$ cargo install xargo
Run rustc -vV and copy the value of the host key.
In my case the value is x86_64-pc-windows-gnu
Build using this command
xargo build --target x86_64-pc-windows-gnu --releaseBe sure to replace the value of --target parameter with your host value.
IocChecker needs to be configured first.
Create the file settings.toml in the same directory as the executable with following content
server = "[IOC-SERVER URL]"
auth_probe_name = "[PROBE NAME]"
auth_key = "[API KEY]"
deep_search = false
max_iocs = 500If you run the app without settings.toml it will create one automatically, but you still need to
configure the settings.toml.
Options to configure are:
serverplace here the URL of the IOC server.auth_probe_nameis the login name of this probe instanceauth_keyis an API authentication keydeep_searchwith valuetruewill initiate a deep scan of all filesystems and registries. It will also enable IOCs with regular expressions. Very slow.max_iocsindicates how many of the latest IOCs from server will be downloaded. Set to-1to download all IOCs.
Run the IocChecker as
ioc-checker-probe.exe --local [LIST-OF-IOC-FILES]where [LIST-OF-IOC-FILES] denotes local IOC files in JSON format separated by whitespace.
Run the IocChecker with one or more options:
--dis-certdisables certificate checking--dis-conndisables open network connections checking--dis-dnsdisables DNS checking--dis-filedisables file checking--dis-mutexdisables mutex checking--dis-procdisables process checking--dis-regdisables registry checking