|
|
#24
08-09-2014, 10:27
|
||||
|
||||
|
if you do a yara scan
you will quickly see if the scanner is set proberly. you will see the yara rules load after push button peform yara scan Code:
loading rules from file: C:\yara\cve.yar (3) loading rules from file: C:\yara\index.yar (0) loading rules from file: C:\yara\xplug.yar (2) loading rules from file: C:\yara\AlienVault\apt.yar (72) loading rules from file: C:\yara\AlienVault\avdetect.yar (1) loading rules from file: C:\yara\AlienVault\dbgdetect.yar (3) loading rules from file: C:\yara\AlienVault\hangover.yar (16) loading rules from file: C:\yara\AlienVault\sandboxdetect.yar (1) loading rules from file: C:\yara\AlienVault\vmdetect.yar (1) loading rules from file: C:\yara\AlienVault\APT_NGO_wuaclt\yara\APT_NGO_wuaclt.yar (1) loading rules from file: C:\yara\AlienVault\APT_NGO_wuaclt\yara\APT_NGO_wuaclt_PDF.yar (1) loading rules from file: C:\yara\AlienVault\Georbot\GeorBotBinary.yara (1) loading rules from file: C:\yara\AlienVault\Georbot\GeorBotMemory.yara (1) [!] Performing YARA scan... Also you can add you own sigs to yara read this post https://hacking.ventures/rsa-keys-in-heartbleed-memory/ he adds the RSA headers to the scanner Code:
rules = yara.compile(sources = {
'x509' : 'rule x509 {strings: $a = {30 82 ?? ?? 30 82 ?? ??} condition: $a}',
'pkcs' : 'rule pkcs {strings: $a = {30 82 ?? ?? 02 01 00} condition: $a}',
})
|
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Find the Algorithm | mcr4ck | General Discussion | 3 | 05-26-2020 18:19 |
| Find the Algorithm | mcr4ck | General Discussion | 18 | 02-06-2020 15:43 |
Threaded Mode