-
Notifications
You must be signed in to change notification settings - Fork 24
Expand file tree
/
Copy pathdefault_signatures.yar
More file actions
347 lines (328 loc) · 9.16 KB
/
default_signatures.yar
File metadata and controls
347 lines (328 loc) · 9.16 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
rule administrative_share_abuse
{
meta:
author="@matonis"
description="syntax for accessing adminstrative shares"
strings:
$s0 = /(copy|del|psexec|net)/ nocase
$s1 = "\\c$\\windows\\system32\\" nocase
$s2 = "\\c$\\system32\\" nocase
$s3 = "\\admin$\\" nocase
condition:
$s0 and (any of ($s1,$s2,$s3))
}
rule remote_system_syntax
{
meta:
author = "@matonis"
info = "Command syntax that is used to access remote systems by IP address"
strings:
$s1 = /\\\\\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/
condition:
$s1
}
rule http_request_header
{
meta:
author="@matonis"
description="HTTP header fields"
strings:
//methods
$method0 = "OPTIONS"
$method1 = "GET"
$method2 = "HEAD"
$method3 = "POST"
$method4 = "PUT"
$method5 = "DELETE"
$method6 = "TRACE"
$method7 = "CONNECT"
//http version
$version0 = "HTTP/1.1"
$version1 = "HTTP/1.0"
//headers
$header0 = "Host: "
$header1 = "User-Agent: "
$header2 = "Content-Encoding: "
$header3 = "Last-Modified: "
$header4 = "Expires: "
$header5 = "Connection: "
$header6 = "Accept-Language: "
$header7 = "Accept-Encoding: "
$header8 = "Accet-Charset: "
$header9 = "Cookie: "
$header10 = "Content-Length: "
$header11 = "Accept: "
condition:
(1 of ($method*)) and (1 of ($version*)) and (2 of ($header*))
}
rule http_response_header
{
meta:
author="@matonis"
description="HTTP Response headers"
strings:
//Response Codes
$response0 = "200 OK"
$response1 = "201 Created"
$response2 = "202 Accepted"
$response3 = "203 Non-Authoritative Information"
$response4 = "204 No Content"
$response5 = "205 Reset Content"
$response6 = "206 Partial Content"
$response7 = "300 Multiple Choices"
$response8 = "301 Moved Permanently"
$response9 = "302 Found"
$response10 = "303 See Other"
$response11 = "304 Not Modified"
$response12 = "305 Use Proxy"
$response13 = "307 Temporary Redirect"
$response14 = "400 Bad REQUEST"
$response15 = "401 Unauthorized"
$response16 = "403 Forbidden"
$response17 = "404 Not Found"
$response18 = "405 Method Not Allowed"
$response19 = "406 Not Acceptable"
$response20 = "407 Proxy Authentication Require"
$response21 = "408 Request Timeout"
$response22 = "409 Conflict"
$response23 = "410 Gone"
$response24 = "411 Length Required"
$response25 = "412 Precondition Failed"
$response26 = "413 Request Entity Too Large"
$response27 = "414 Request-URI Too Long"
$response28 = "415 Unsupported Media Type"
$response29 = "416 Requested Range Not Satisfiable"
$response30 = "417 Expectation Failed"
$response31 = "500 Internal Server Error"
$response32 = "501 Not Implemented"
$response33 = "502 Bad Gateway"
$response34 = "503 Service Unavailable"
$response35 = "504 Gateway Timeout"
$response36 = "505 HTTP Version Not Supported"
//HTTP Versions
$version0 = "HTTP/1.1"
$version1 = "HTTP/1.0"
//headers
$field0 = "Set-Cookie:"
$field1 = "Content-Type:"
$field2 = "X-Powered-By:"
$field3 = "Vary:"
$field4 = "Transfer-Encoding:"
$field5 = "Etag:"
$field6 = "Date:"
$field7 = "Server:"
$field8 = "Cache-Control:"
$field9 = "Connection:"
$field10 = "Last-Modified:"
condition:
(1 of ($response*)) and (1 of ($version*)) and (2 of ($field*))
}
rule webartifact_html
{
meta:
author="@matonis"
description="HTML identifiers"
strings:
//sepcific tags
$html0 = "DOCTYPE"
$html1 = "head>"
$html2 = "body>"
$html3 = "title>"
$html4 = "body>"
$html5 = "html>"
$html6 = "</html>"
$html7 = "<!--"
$html8 = "-->"
$html9 = "br>"
$html10 = "script>"
condition:
2 of them
}
rule webartifact_javascript
{
meta:
author="@matonis"
description="Javascript signature"
strings:
$java0 = "document.write" nocase
$java1 = "createElement" nocase
$java2 = "getElementsByTagName" nocase
$java3 = "appendChild" nocase
$java4 = "eval" nocase
$java5 = "document.cookie" nocase
$java6 = "p,a,c,k,e,d" nocase
$java7 = ".substring"
condition:
3 of them
}
rule cmdshell
{
meta:
author="@matonis"
description="Command prompt syntax to identify potential priv escalation"
strings:
$cmd0 = "C:\\Documents and Settings\\Administrator"
$cmd2 = "C:\\Users\\Administrator"
condition:
any of them
}
rule webartifact_gmail
{
meta:
author="@matonis"
description="Gmail artifacts"
strings:
$s1 = "[\"ms\","
$s2 = "[\"ce\"]"
$s3 = "[\"e\""
condition:
2 of them
}
rule social_security_syntax
{
meta:
author="@matonis"
description="SSN Syntax"
strings:
$s1 = /[0-9]{3}-[0-9]{2}-[0-9]{3}/
condition:
$s1
}
rule smtp_fragments
{
meta:
author="@matonis"
description="SMTP Artifacts"
strings:
$stmp0 = "HELO"
$stmp1 = "MAIL FROM"
$stmp2 = "RCPT TO"
$stmp4 = "From:"
$stmp5 = "To:"
$stmp6 = "Cc:"
$stmp7 = "Date:"
$stmp8 = "Subject:"
$stmp9 = "Delivered-To:"
$stmp10 = "Received: by"
$stmp11 = "Authentication-Results:"
$stmp12 = "Return-Path:"
$stmp13 = "Message-ID:"
$stmp14 = "Content-Transfer-Encoding:"
$stmp15 = "Content-Disposition:"
$stmp16 = "X-Forwarded-To:"
$stmp17 = "X-Forwarded-For:"
condition:
7 of them
}
rule irc
{
meta:
author="@matonis"
description="IRC Artifacts"
strings:
$irc0="has joined #"
$irc1 = "Channel created on"
$irc2 = "USER"
$irc3 = "PASS"
$irc5 = "NICK"
$irc6 = "CHANNEL"
$irc7 = /are [0-9]* users and [0-9]* invisible on/
$irc8 = /[0-9]* operator(s) online/
condition:
$irc0 or ($irc2 and $irc3 and $irc5 and $irc6) or $irc7 or $irc8 or $irc1
}
rule ftp
{
meta:
author="@matonis"
description="FTP Command Artifacts"
strings:
$ftp1 = "150 File status okay; about to open data connection."
$ftp2 = "150 Opening BINARY mode data connection for"
$ftp3 = "150 Opening data connection."
$ftp4 = "200 Command PORT okay."
$ftp5 = "200 Command PROT okay."
$ftp6 = "200 Command SITE okay."
$ftp7 = "200 Command okay."
$ftp8 = "200 EPRT command okay."
$ftp9 = "200 Goodbye."
$ftp10 = "200 PORT command successful."
$ftp11 = "202 Already logged-in."
$ftp12 = "202 Command ACCT not implemented."
$ftp13 = "214 Help information."
$ftp14 = "221 Goodbye."
$ftp15 = "221 List of all the extensions supported."
$ftp16 = "226 ABOR command successful."
$ftp17 = "226 Closing data connection."
$ftp18 = "226 Transfer complete."
$ftp19 = "229 Entering passive mode"
$ftp20 = "230 Already logged-in."
$ftp21 = "230 User logged in, proceed."
$ftp22 = "234 AUTH command okay; starting SSL connection."
$ftp23 = "Transfer started."
$ftp24 = "250 Command okay."
$ftp25 = "250 Directory created."
$ftp26 = "250 Directory removed."
$ftp27 = "250 Requested file action okay, file renamed."
$ftp28 = "331 Guest login okay, send your complete e-mail address as password."
$ftp29 = "331 User name okay, need password."
$ftp30 = "350 Requested file action pending further information."
$ftp31 = "421 Maximum anonymous login limit has been reached."
$ftp32 = "421 Maximum login limit has been reached."
$ftp33 = "425 Can't open data connection."
$ftp34 = "425 Cannot open data connection."
$ftp35 = "425 Cannot open passive connection."
$ftp36 = "425 Cannot open the data connection."
$ftp37 = "426 Data connection error."
$ftp38 = "431 Security is disabled."
$ftp39 = "431 Service is unavailable."
$ftp40 = "450 Can't delete file."
$ftp41 = "450 No permission to delete."
$ftp42 = "500 Execution failed."
$ftp43 = "501 Syntax error in parameters or arguments."
$ftp44 = "501 Syntax error."
$ftp45 = "502 Command SITE not implemented for this argument."
$ftp46 = "502 Not yet implemented."
$ftp47 = "503 Cannot find the file which has to be renamed."
$ftp48 = "503 Login with USER first."
$ftp49 = "504 Command not implemented."
$ftp50 = "504 Not implemented for this command."
$ftp51 = "504 Server does not understand the specified protection level."
$ftp52 = "510 EPRT IP is not same as client IP."
$ftp53 = "510 EPRT is disabled."
$ftp54 = "510 PORT IP mismatch."
$ftp55 = "510 Port is disabled."
$ftp56 = "510 Syntax error in parameters."
$ftp57 = "510 Syntax error."
$ftp58 = "530 Access denied."
$ftp59 = "530 Anonymous connection is not allowed."
$ftp60 = "530 Authentication failed."
$ftp61 = "530 Invalid user name."
$ftp62 = "550 Already exists."
$ftp63 = "550 Cannot create directory."
$ftp64 = "550 Cannot remove directory."
$ftp65 = "550 File unavailable."
$ftp66 = "550 Invalid path."
$ftp67 = "550 No permission."
$ftp68 = "550 No such directory."
$ftp69 = "550 No such file or directory."
$ftp70 = "550 Not a plain file."
$ftp71 = "550 Not a valid directory."
$ftp72 = "550 Not a valid file."
$ftp73 = "550 Permission denied."
$ftp74 = "550 Unique file name error."
$ftp75 = "551 Error on input file."
$ftp76 = "551 Error on output file."
$ftp77 = "551 File listing failed."
$ftp78 = "552 Invalid port number."
$ftp79 = "552 Not a valid port number."
$ftp80 = "553 Cannot rename file."
$ftp81 = "553 Host unknown."
$ftp82 = "553 No permission."
$ftp83 = "553 Not a valid file name."
$ftp84 = "Interactive mode on."
$ftp85 = "bytes received in"
$ftp86 = "command successful"
condition:
4 of them
}