Linux Pnscan

yara/thor-hacktools.yar

@@ -4555,3 +4555,17 @@ rule SUSP_Katz_PDB {
    condition:
       uint16(0) == 0x5a4d and filesize < 6000KB and all of them
 }
+
+rule HKTL_LNX_Pnscan {
+   meta:
+      description = "Detects Pnscan port scanner"
+      author = "Florian Roth"
+      reference = "https://github.com/ptrrkssn/pnscan"
+      date = "2019-05-27"
+      score = 55
+   strings:
+      $x1 = "-R<hex list>   Hex coded response string to look for." fullword ascii
+      $x2 = "This program implements a multithreaded TCP port scanner." ascii wide
+   condition:
+      filesize < 6000KB and 1 of them
+}