valitydev/signature-base
14
0
Fork 0
mirror of https://github.com/valitydev/signature-base.git synced 2024-11-06 18:15:20 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
941 Commits 2 Branches 1 Tag 33 MiB
9e051bd768
Commit Graph

941 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Florian Roth
eff526f28c
Removed trailing space 
Fixed multiline editing issue
 2019-01-29 11:14:36 +01:00
zachsis
bdf163dee3
typo was causing build-rules.py to fail 
validated fixed after this change. 

INFO:root:Compiling Filename IOCs from filename-iocs.txt
Traceback (most recent call last):
  File "build-rules.py", line 132, in initialize_filename_iocs
    fioc = {'regex': re.compile(regex), 'score': score, 'description': desc, 'regex_fp': regex_fp_comp}
  File "/usr/lib64/python3.6/re.py", line 233, in compile
    return _compile(pattern, flags)
  File "/usr/lib64/python3.6/re.py", line 301, in _compile
    p = sre_compile.compile(pattern, flags)
  File "/usr/lib64/python3.6/sre_compile.py", line 562, in compile
    p = sre_parse.parse(p, flags)
  File "/usr/lib64/python3.6/sre_parse.py", line 855, in parse
    p = _parse_sub(source, pattern, flags & SRE_FLAG_VERBOSE, 0)
  File "/usr/lib64/python3.6/sre_parse.py", line 416, in _parse_sub
    not nested and not items))
  File "/usr/lib64/python3.6/sre_parse.py", line 502, in _parse
    code = _escape(source, this, state)
  File "/usr/lib64/python3.6/sre_parse.py", line 401, in _escape
    raise source.error("bad escape %s" % escape, len(escape))
sre_constants.error: bad escape \e at position 9
ERROR:root:Error reading line: \\regsys.\exe ;60
 2019-01-28 12:03:35 -07:00
Florian Roth
7564e6e8e6 False Positive Reduction 
https://github.com/Neo23x0/signature-base/issues/54
 2019-01-24 11:03:01 +01:00
Florian Roth
b5f6c82040 Suspicious RTF header anomaly 2019-01-20 17:36:32 +01:00
Florian Roth
e3bee33094 False Positive Reduction 2019-01-20 17:36:18 +01:00
Florian Roth
caef03b95b fix: moved lsadump rule from general rules to the ext vars file 2019-01-19 12:22:32 +01:00
Florian Roth
c7b875a932 chore: build with YARA 3.8.1 2019-01-17 13:20:54 +01:00
Florian Roth
ccd0b61cfd bugfix: PowerShell_Susp_Parameter_Combo 2019-01-17 13:18:07 +01:00
Florian Roth
ca7f252dc0 False Positive Reduction 2019-01-17 13:12:39 +01:00
Florian Roth
a5bcf62416
Merge pull request #53 from jbeley/master 
Added rules for a tiny webshell and a go based htran variant
 2019-01-16 21:09:45 +01:00
Florian Roth
c0b0167e7b
That's great 2019-01-16 19:29:40 +01:00
Florian Roth
e1262a718e
I'd adjust it like that 2019-01-16 19:27:29 +01:00
Florian Roth
a694d81eee Cold River Filename IOCs 2019-01-16 18:57:40 +01:00
Jeff Beley
3fa7540094 Added rules for a tiny webshell and a go based htran variant 2019-01-16 10:58:25 -06:00
Florian Roth
32182ab8ff Nitol Malware 2019-01-14 11:20:18 +01:00
Florian Roth
3d1b054f3e Travis CI build notifications only on changes 2019-01-13 09:39:01 +01:00
Florian Roth
baaa280ee0 False Positive Hash 2019-01-13 09:35:17 +01:00
Florian Roth
8c7e07780e
Merge pull request #51 from cnotin/patch-1 
gen_bad_pdf.yar: fix detection of Metasploit generated files
 2019-01-10 11:31:08 +01:00
Florian Roth
6d0e6bc997
Update gen_bad_pdf.yar 2019-01-10 11:28:31 +01:00
Clément Notin
a61ab94eff
gen_bad_pdf.yar: fix detection of Metasploit generated files 2019-01-10 10:49:55 +01:00
Florian Roth
73811a6b45
Merge pull request #50 from JohnLaTwC/patch-7 
Create gen_macro_ShellExecute_action.yar
 2019-01-08 23:00:36 +01:00
John Lambert
0de78e6654
Create gen_macro_ShellExecute_action.yar 
Rule finds VBA macro samples that use the ShellExecute "evasion" method specified in the tweet mentioned in the rule.
 2019-01-08 12:22:19 -08:00
Florian Roth
4349f58d37 Score adjustments 2019-01-08 09:18:54 +01:00
Florian Roth
9a0e7a44fb Cryp RAT 2019-01-08 09:18:45 +01:00
Florian Roth
7216c088b0 JAVA class with VBS content 2019-01-07 13:28:06 +01:00
Florian Roth
c3b87a7be2 Filename IOC adjusted 2019-01-07 13:27:50 +01:00
Florian Roth
6d9577a703 Putty anormal file sizes 2019-01-07 13:27:31 +01:00
Florian Roth
03f109c14e Improved script obfuscation rule 2019-01-03 11:04:14 +01:00
Florian Roth
9eec73061a APT28 Zebrocy Golang Loader by @VK_Intel 
https://www.vkremez.com/2018/12/lets-learn-progression-of-apt28sofacy.html
 2019-01-02 09:19:09 +01:00
Florian Roth
d26a5045d9 Ryuk Ransomware 2018-12-31 14:56:56 +01:00
Florian Roth
2fb2bd2481 fix: removed duplicate rule 2018-12-29 17:00:19 +01:00
Florian Roth
b6920c0d0c Moved NK miner to generic list 2018-12-29 09:31:57 +01:00
Florian Roth
82a91c8d6c Update on crypto coin miner 2018-12-29 09:31:14 +01:00
Florian Roth
819c4f2ac5 fix: missing "pe" import 2018-12-29 09:20:24 +01:00
Florian Roth
0b96d7131d APT10 rule update with imphash rule 2018-12-29 09:17:56 +01:00
Florian Roth
900796dcdf Hacktool NoPowerShell 2018-12-28 14:57:03 +01:00
Florian Roth
046b5736d0 YARA rule description cleanup 2018-12-28 12:38:31 +01:00
Florian Roth
5710d22af2 APT10 IOCs - all publicly available IOCs from AlienVault OTX 2018-12-28 12:38:08 +01:00
Florian Roth
cf85a7cd31 YARA rule svchosts 2018-12-22 09:12:34 +01:00
Florian Roth
4f666da806 Reference to Valhalla rule feed 2018-12-22 09:11:51 +01:00
Florian Roth
72eaa194ae Area1 Phishing Diplomacy Rules 2018-12-19 19:17:51 +01:00
Florian Roth
f73324aa1a Minor adjustments in gen_malware_MacOS_plist_suspicious rule 2018-12-16 10:10:42 +01:00
Florian Roth
dd044b0278
Merge pull request #48 from JohnLaTwC/patch-6 
Detect suspicious MacOS launch agent config files
 2018-12-16 09:53:17 +01:00
John Lambert
bd8185482f
Detect suspicious MacOS launch agent config files 
plist files contain configuration for user-specific background jobs in OSX. Malware abuses this feature for persistence. Coin miners have been seen to use this feature as well.
 2018-12-14 13:55:31 -08:00
Florian Roth
13b238f39f Fixed character formatting to wide in SUSP_Scheduled_Task_BigSize 2018-12-14 08:58:10 +01:00
Florian Roth
1b959e2a3b False Positives on Exchange with SUSP_Scheduled_Task_BigSize 2018-12-14 08:55:48 +01:00
Florian Roth
e4dd8c610c Fixed some dates 2018-12-14 08:55:27 +01:00
Florian Roth
37582f20d3 Removed duplicates that appear 3 times in list 2018-12-13 14:25:24 +01:00
Florian Roth
e118b0c92e Rule: Powershell Obfuscation 2018-12-13 14:25:01 +01:00
Florian Roth
826446a785 Low scoring rule: Anomaly - Linux UPX compressed binaries 2018-12-13 14:24:41 +01:00