Signature base for my scanner tools
Go to file
2021-04-26 14:02:18 +02:00
.github/workflows Assemble and publish Yara rules through GitHub Actions 2021-03-20 19:06:49 +01:00
iocs PulseSecure FireEye IOCs and adjusted YARA rules 2021-04-21 08:21:42 +02:00
misc refactor: more filetype signatures 2021-03-08 11:09:59 +01:00
threatintel Update MISP threat intel 2020-11-08 12:02:35 +01:00
vendor/yara fix: FPs with rule on memory 2020-05-05 19:47:48 +02:00
yara rule: passwordstate moserware backdoor 2021-04-26 14:02:18 +02:00
_config.yml Set theme jekyll-theme-slate 2018-08-26 12:04:25 +02:00
.gitignore .gitignore update 2019-02-02 17:14:44 +01:00
.travis.yml Travis CI build notifications only on changes 2019-01-13 09:39:01 +01:00
.yara-ci.yml YARA CI Config 2020-11-24 09:47:23 +01:00
build-rules.py Python 3 support in build script 2018-01-24 20:26:34 +01:00
LICENSE Creative Commons BY-NC 4.0 International License 2018-08-26 12:11:44 +02:00
makefile Signature base rules CSV update 2019-02-07 09:51:20 +01:00
README.md Update README.md 2020-12-12 12:11:31 +01:00
sig-base-rules.csv docs: sig-base-rules.csv 2019-04-06 19:35:41 +02:00

Build Status

Signature-Base

Signature-Base is the YARA signature and IOC database for our scanners LOKI and THOR Lite

Focus of Signature-Base

  1. High quality YARA rules and IOCs with minimal false positives
  2. Clear structure
  3. Consistent rule format

Directory Structure

  • iocs - Simple IOC files (CSV)
  • yara - YARA rules
  • threatintel - Threat Intel API Receiver (MISP, OTX)
  • misc - Other input files (not IOCs or signatures)

External Variables in YARA Rules

Using the YARA rules in a tool other than LOKI or THOR Lite will cause errors stating an undefined identifier. The rules that make use of external variables have been moved to the following 4 rule set files:

  • ./yara/generic_anomalies.yar
  • ./yara/general_cloaking.yar
  • ./yara/thor_inverse_matches.yar
  • ./yara/yara_mixed_ext_vars.yar

High Quality YARA Rules Feed

If you liked my rules, please check our commercial rule set and rule feed service, which contains better and 20 times the number of rules.

FAQs

How can I report false positives?

Use the issues section of this repository.

How can I provide a YARA rule or IOCs?

I accept pull requests. See this thread for some help on how to create such a request.

What are the differences between THOR Lite and LOKI?

See our comparison table here.

License

Creative Commons License

All signatures and IOC files in this repository, except the YARA rules created by 3rd parties, are licensed under the Creative Commons Attribution-NonCommercial 4.0 International License.

The license of this repository changed in August 2018. All forks or copies of this repository that were created before August 26th of 2018 are licensed under GPL 3.0. you can find the last GPL version in the release section.