signature-base

mirror of https://github.com/valitydev/signature-base.git synced 2024-11-06 18:15:20 +00:00

Author	SHA1	Message	Date
Florian Roth	06eaa56e82	HWP incident filename IOC	2019-02-07 09:48:39 +01:00
Florian Roth	ec6bcf6edd	Changed filename	2019-02-07 09:48:08 +01:00
Florian Roth	abddb56a94	FIlename IOC : ntds.dit in uncommon location	2019-02-07 08:37:13 +01:00
Florian Roth	75f01d8fa8	update: rule info	2019-02-05 19:56:15 +01:00
Florian Roth	ca3960b70e	Merge pull request #58 from JohnLaTwC/patch-9 Create gen_libre_office_CVE_2018_16858.yar	2019-02-05 19:54:33 +01:00
Florian Roth	97d70bf8d2	update: rule info	2019-02-05 19:49:39 +01:00
Florian Roth	506a0a1b1b	FP Filename IOC Oracle exclude	2019-02-05 19:49:17 +01:00
Florian Roth	312f78bfa3	Minor changes: rule name, nocase, removed size	2019-02-05 17:01:41 +01:00
John Lambert	2199580487	Create gen_libre_office_CVE_2018_16858.yar	2019-02-05 07:20:56 -08:00
Florian Roth	74c8970f95	Suspicious Katz.PDB	2019-02-05 09:11:43 +01:00
Florian Roth	fbe8852a9a	Extended suspicious LNK file content rule	2019-02-05 09:11:33 +01:00
Florian Roth	146d0e9ae1	Suspicious big LNK file	2019-02-05 09:11:16 +01:00
Florian Roth	30352f327e	ExileRAT https://blog.talosintelligence.com/2019/02/exilerat-shares-c2-with-luckycat.html	2019-02-04 20:44:06 +01:00
Florian Roth	42515d34db	CSV signature base rules	2019-02-02 17:14:44 +01:00
Florian Roth	0ee2f3d05f	New Crypto Coin miner rule	2019-02-02 17:14:44 +01:00
Florian Roth	925aed89f5	Rule extraction with private rule mjolnir	2019-02-02 17:14:44 +01:00
Florian Roth	42dba65c04	.gitignore update	2019-02-02 17:14:44 +01:00
Florian Roth	e99f7237f2	Rule improvements	2019-02-02 17:14:44 +01:00
Florian Roth	814a2593cd	Merge pull request #57 from JohnLaTwC/patch-8 Update gen_macro_ShellExecute_action.yar	2019-02-01 18:14:45 +01:00
John Lambert	7bfd6e14da	Update gen_macro_ShellExecute_action.yar	2019-01-31 19:38:50 -08:00
Florian Roth	4dafd62d5e	APT DNS Hijacking campaign AA19-024A https://www.us-cert.gov/ncas/alerts/AA19-024A	2019-01-29 15:31:54 +01:00
Florian Roth	6332f7c6ca	Kitty Fork Putty FP	2019-01-29 15:31:54 +01:00
Florian Roth	6777dc3d3d	Merge pull request #56 from zachsis/patch-1 typo was causing build-rules.py to fail	2019-01-29 11:14:53 +01:00
Florian Roth	eff526f28c	Removed trailing space Fixed multiline editing issue	2019-01-29 11:14:36 +01:00
zachsis	bdf163dee3	typo was causing build-rules.py to fail validated fixed after this change. INFO:root:Compiling Filename IOCs from filename-iocs.txt Traceback (most recent call last): File "build-rules.py", line 132, in initialize_filename_iocs fioc = {'regex': re.compile(regex), 'score': score, 'description': desc, 'regex_fp': regex_fp_comp} File "/usr/lib64/python3.6/re.py", line 233, in compile return _compile(pattern, flags) File "/usr/lib64/python3.6/re.py", line 301, in _compile p = sre_compile.compile(pattern, flags) File "/usr/lib64/python3.6/sre_compile.py", line 562, in compile p = sre_parse.parse(p, flags) File "/usr/lib64/python3.6/sre_parse.py", line 855, in parse p = _parse_sub(source, pattern, flags & SRE_FLAG_VERBOSE, 0) File "/usr/lib64/python3.6/sre_parse.py", line 416, in _parse_sub not nested and not items)) File "/usr/lib64/python3.6/sre_parse.py", line 502, in _parse code = _escape(source, this, state) File "/usr/lib64/python3.6/sre_parse.py", line 401, in _escape raise source.error("bad escape %s" % escape, len(escape)) sre_constants.error: bad escape \e at position 9 ERROR:root:Error reading line: \\regsys.\exe ;60	2019-01-28 12:03:35 -07:00
Florian Roth	7564e6e8e6	False Positive Reduction https://github.com/Neo23x0/signature-base/issues/54	2019-01-24 11:03:01 +01:00
Florian Roth	b5f6c82040	Suspicious RTF header anomaly	2019-01-20 17:36:32 +01:00
Florian Roth	e3bee33094	False Positive Reduction	2019-01-20 17:36:18 +01:00
Florian Roth	caef03b95b	fix: moved lsadump rule from general rules to the ext vars file	2019-01-19 12:22:32 +01:00
Florian Roth	c7b875a932	chore: build with YARA 3.8.1	2019-01-17 13:20:54 +01:00
Florian Roth	ccd0b61cfd	bugfix: PowerShell_Susp_Parameter_Combo	2019-01-17 13:18:07 +01:00
Florian Roth	ca7f252dc0	False Positive Reduction	2019-01-17 13:12:39 +01:00
Florian Roth	a5bcf62416	Merge pull request #53 from jbeley/master Added rules for a tiny webshell and a go based htran variant	2019-01-16 21:09:45 +01:00
Florian Roth	c0b0167e7b	That's great	2019-01-16 19:29:40 +01:00
Florian Roth	e1262a718e	I'd adjust it like that	2019-01-16 19:27:29 +01:00
Florian Roth	a694d81eee	Cold River Filename IOCs	2019-01-16 18:57:40 +01:00
Jeff Beley	3fa7540094	Added rules for a tiny webshell and a go based htran variant	2019-01-16 10:58:25 -06:00
Florian Roth	32182ab8ff	Nitol Malware	2019-01-14 11:20:18 +01:00
Florian Roth	3d1b054f3e	Travis CI build notifications only on changes	2019-01-13 09:39:01 +01:00
Florian Roth	baaa280ee0	False Positive Hash	2019-01-13 09:35:17 +01:00
Florian Roth	8c7e07780e	Merge pull request #51 from cnotin/patch-1 gen_bad_pdf.yar: fix detection of Metasploit generated files	2019-01-10 11:31:08 +01:00
Florian Roth	6d0e6bc997	Update gen_bad_pdf.yar	2019-01-10 11:28:31 +01:00
Clément Notin	a61ab94eff	gen_bad_pdf.yar: fix detection of Metasploit generated files	2019-01-10 10:49:55 +01:00
Florian Roth	73811a6b45	Merge pull request #50 from JohnLaTwC/patch-7 Create gen_macro_ShellExecute_action.yar	2019-01-08 23:00:36 +01:00
John Lambert	0de78e6654	Create gen_macro_ShellExecute_action.yar Rule finds VBA macro samples that use the ShellExecute "evasion" method specified in the tweet mentioned in the rule.	2019-01-08 12:22:19 -08:00
Florian Roth	4349f58d37	Score adjustments	2019-01-08 09:18:54 +01:00
Florian Roth	9a0e7a44fb	Cryp RAT	2019-01-08 09:18:45 +01:00
Florian Roth	7216c088b0	JAVA class with VBS content	2019-01-07 13:28:06 +01:00
Florian Roth	c3b87a7be2	Filename IOC adjusted	2019-01-07 13:27:50 +01:00
Florian Roth	6d9577a703	Putty anormal file sizes	2019-01-07 13:27:31 +01:00

1 2 3 4 5 ...

914 Commits