mirror of
https://github.com/empayre/fleet.git
synced 2024-11-06 08:55:24 +00:00
17 lines
450 B
YAML
17 lines
450 B
YAML
name: yara
|
|
examples: >-
|
|
Look for files under `/root` that match a Yara signature. This example uses the [EICAR test file](https://www.eicar.org/download-anti-malware-testfile/).
|
|
|
|
```
|
|
|
|
SELECT * FROM yara WHERE path like '/root/%%' AND sigrule IN (
|
|
'rule eicar {
|
|
strings:
|
|
$s1 = "X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*" fullword ascii
|
|
condition:
|
|
all of them
|
|
}'
|
|
) AND matches='eicar';
|
|
|
|
```
|