Skip to content

feat: make deprecation in section title #71

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
secDre4mer merged 1 commit into from
Dec 5, 2025
Merged

feat: make deprecation in section title #71

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion debugging/missing-alerts.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,7 +60,7 @@ It happens very often that users that prepare custom IOCs or YARA rules
forget to include the correct keyword in the filename of the IOC or YARA
rule file.

The correct use of keywords is described in the chapters :ref:`signatures/ioc-formats:Simple IOC files`
The correct use of keywords is described in the chapters :ref:`signatures/ioc-formats:Simple IOC files (deprecated)`
for IOCs and :ref:`signatures/yara:YARA Rules` for YARA rules.

A wrong or missing keyword leads to situations in which a file that contains
Expand Down
6 changes: 3 additions & 3 deletions signatures/ioc-formats.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,8 +59,8 @@ They must have the `.yml` extension, or, if encrypted, the `.yms` extension.
# - mutexes
# - events

Simple IOC files
~~~~~~~~~~~~~~~~
Simple IOC files (deprecated)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Simple IOC files are basically CSV files that include the IOC and
comments. Simple IOC files must have the extension ``.txt``.
Expand All @@ -86,7 +86,7 @@ The following tags for simple IOCs are currently supported:

* "**keyword**" or "**keywords**"

* for :ref:`signatures/ioc-types:Keywords`
* for :ref:`signatures/ioc-types:Keywords (deprecated)`

* "**trusted-hash**" or "**trusted-hashes**"
or "**falsepositive-hash**" or "**falsepositive-hashes**"
Expand Down
8 changes: 5 additions & 3 deletions signatures/ioc-types.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ IOC Types

IOCs are indicators of compromise that are applied during a scan.
They are categorized based on their :ref:`signatures/ioc-types:IOC types`, and can be specified
as either :ref:`signatures/ioc-formats:YAML IOC files` or :ref:`signatures/ioc-formats:Simple IOC files`.
as either :ref:`signatures/ioc-formats:YAML IOC files` or :ref:`signatures/ioc-formats:Simple IOC files (deprecated)`.

All IOCs are text based and can either be regular expressions or plain strings. Furthermore, each IOC has:

Expand All @@ -46,6 +46,8 @@ Hash IOC must be MD5, SHA1, SHA256, or PE import hashes. They are applied to:
- the hashes of all files that THOR scans
- Hashes in the Amcache that THOR finds

Hash IOCs are always applied case insensitively and regex hash IOCs are not supported.

File Names
----------

Expand All @@ -56,8 +58,8 @@ score of well-known files and locations, by using negative scores.

Filename IOCs are applied to _all_ fields of all objects that THOR encounters.

Keywords
--------
Keywords (deprecated)
---------------------

.. warning::
Keyword IOCs are deprecated. If you use keyword IOCs, consider switching to
Expand Down