mirror of
https://github.com/valitydev/signature-base.git
synced 2024-11-06 18:15:20 +00:00
28 lines
1.0 KiB
Plaintext
28 lines
1.0 KiB
Plaintext
|
|
rule SUSP_TINY_PE {
|
|
meta:
|
|
description = "Detects Tiny PE file"
|
|
author = "Florian Roth"
|
|
reference = "https://webserver2.tecgraf.puc-rio.br/~ismael/Cursos/YC++/apostilas/win32_xcoff_pe/tyne-example/Tiny%20PE.htm"
|
|
date = "2019-10-23"
|
|
score = 80
|
|
strings:
|
|
$header = { 4D 5A 00 00 50 45 00 00 }
|
|
condition:
|
|
uint16(0) == 0x5a4d and uint16(4) == 0x4550 and filesize <= 20KB and $header at 0
|
|
}
|
|
|
|
rule SUSP_GIF_Anomalies {
|
|
meta:
|
|
description = "Detects files with GIF headers and format anomalies - which means that this image could be an obfuscated file of a different type"
|
|
author = "Florian Roth"
|
|
score = 60
|
|
reference = "https://en.wikipedia.org/wiki/GIF"
|
|
date = "2020-07-02"
|
|
condition:
|
|
uint16(0) == 0x4947 and uint8(2) == 0x46 /* GIF */
|
|
and uint8(11) != 0x00 /* Background Color Index != 0 */
|
|
and uint8(12) != 0x00 /* Pixel Aspect Ratio != 0 */
|
|
and uint8(filesize-1) != 0x3b /* Trailer (trailes are often 0x00 byte padded and cannot server as sole indicator) */
|
|
}
|