diff --git a/debugging/missing-alerts.rst b/debugging/missing-alerts.rst index fc01c28..4ae6351 100644 --- a/debugging/missing-alerts.rst +++ b/debugging/missing-alerts.rst @@ -60,7 +60,7 @@ It happens very often that users that prepare custom IOCs or YARA rules forget to include the correct keyword in the filename of the IOC or YARA rule file. -The correct use of keywords is described in the chapters :ref:`signatures/ioc-formats:Simple IOC files` +The correct use of keywords is described in the chapters :ref:`signatures/ioc-formats:Simple IOC files (deprecated)` for IOCs and :ref:`signatures/yara:YARA Rules` for YARA rules. A wrong or missing keyword leads to situations in which a file that contains diff --git a/signatures/ioc-formats.rst b/signatures/ioc-formats.rst index 157989c..1eaf390 100644 --- a/signatures/ioc-formats.rst +++ b/signatures/ioc-formats.rst @@ -59,8 +59,8 @@ They must have the `.yml` extension, or, if encrypted, the `.yms` extension. # - mutexes # - events -Simple IOC files -~~~~~~~~~~~~~~~~ +Simple IOC files (deprecated) +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Simple IOC files are basically CSV files that include the IOC and comments. Simple IOC files must have the extension ``.txt``. @@ -86,7 +86,7 @@ The following tags for simple IOCs are currently supported: * "**keyword**" or "**keywords**" - * for :ref:`signatures/ioc-types:Keywords` + * for :ref:`signatures/ioc-types:Keywords (deprecated)` * "**trusted-hash**" or "**trusted-hashes**" or "**falsepositive-hash**" or "**falsepositive-hashes**" diff --git a/signatures/ioc-types.rst b/signatures/ioc-types.rst index 72c47ea..54db3f9 100644 --- a/signatures/ioc-types.rst +++ b/signatures/ioc-types.rst @@ -20,7 +20,7 @@ IOC Types IOCs are indicators of compromise that are applied during a scan. They are categorized based on their :ref:`signatures/ioc-types:IOC types`, and can be specified -as either :ref:`signatures/ioc-formats:YAML IOC files` or :ref:`signatures/ioc-formats:Simple IOC files`. +as either :ref:`signatures/ioc-formats:YAML IOC files` or :ref:`signatures/ioc-formats:Simple IOC files (deprecated)`. All IOCs are text based and can either be regular expressions or plain strings. Furthermore, each IOC has: @@ -46,6 +46,8 @@ Hash IOC must be MD5, SHA1, SHA256, or PE import hashes. They are applied to: - the hashes of all files that THOR scans - Hashes in the Amcache that THOR finds +Hash IOCs are always applied case insensitively and regex hash IOCs are not supported. + File Names ---------- @@ -56,8 +58,8 @@ score of well-known files and locations, by using negative scores. Filename IOCs are applied to _all_ fields of all objects that THOR encounters. -Keywords --------- +Keywords (deprecated) +--------------------- .. warning:: Keyword IOCs are deprecated. If you use keyword IOCs, consider switching to