概要
自分のためのメモです。
Yaraルール
ベースのサンプル
rule sample{
meta:
description = "description"
author "me"
strings:
$string1 "strings go here"
$string2 {4D 5A)//hex strings here
// two slashes is a comment
condition:
all of them //or $string1 and $string2
}
文字列を探す
rule rule_one{
strings:
$string1 "The system is LOCKED."
$string2 "The network is OPENED."
condition:
all of them
}
ハッシュを計算する
import "hash"
rule rule_two{
condition:
// hash.sha256(0,filesize) = "654ba9156f4bdd5a9d9be56203f9b367fa2fc"
hash.sha1(0,filesize) = "ef1931245400c676d86b20ef0652d417a471ab2f"
}
バイナリを探す
rule rule_three{
strings:
$string1 = {75 2c 23 8d 34 af 48 8d 55 af 23 8d 67 27}
$string2 = {51 52 53}
condition:
all of them //or $string1 and $string2
}
MZ形式のファイルを探す
rule rule_exe{
condition:
uint32(0) == 0x00905a4d
// uint16(0) == 0x5a4d
// unit16(0x100) == 0x4550
}
ドメインを探す
rule rule_domain{
strings:
$spacejam = /[a-zA-Z0-9.]{1,50}\.domain/
condition:
all of them
}
zipファイルを探す
rule rule_zip{
condition:
uint32(0) == 0x04034b50
}
マクロを含むファイルを探す
rule rule_ms_word_maclo{
strings:
$magic_ole = {d0 cf 11 e0 a1 b1 1a e1}
$vba_stream = "VBA" ascii
$macros_dir = "Macros" ascii
$autoopen = "AutoOpen" ascii
condition:
$magic_ole and ($vba_stream or $macros_dir or $autoopen)
}
ファイルサイズの条件を追加し、pdfファイルを探す
rule rule_pdf_size{
strings:
$author = "me"
$magic = {25 50 44 46}
condition:
filesize < 200KB and all of them
}