Yara Rules - Developer Updates #9
Replies: 4 comments 1 reply
-
|
Ongoing Testing: I am actively conducting a series of tests to ensure the current Yara rules are precise and error-free. As these rules are refined, additional rules will be incorporated to further enhance the .yar files. Expect frequent updates as I continue to add, adjust, and remove content to improve accuracy. |
Beta Was this translation helpful? Give feedback.
-
|
NOTE TO ALL USERS! The Yara rules found here are STILL BEING TESTED. This means that anybody who is potentially trying them for one reason or another, should take these with a gain of salt as several testing is being done to ensure these rules are correct and are able to print true positives most of the times. Since this is a very iterative process, I will be posting rules and editing them continuously to ensure up to date rules. I will send development updates here when I have successfully tested a Yara file and I deemed it as complete, until now however what you see are all in heavy development and prone to false positives and/or errors. Thank you all for your patience in this matter :) |
Beta Was this translation helpful? Give feedback.
-
|
Significant enhancements have been made today, including substantial additions to the YARA rules and the removal of unnecessary code. These updates provide a broader overview of the files, identifying details such as file types and potentially insightful information like IP addresses, MAC addresses, and even sensitive data such as PII and more. It’s important to note that these rules are not intended for malware analysis, but rather to offer general insights into file contents. Further updates and thorough testing will follow to ensure quality. Support for MAC file extensions will be implemented once this batch is complete. |
Beta Was this translation helpful? Give feedback.
-
|
Many of these rules will be self made, however when moving to the malware analysis (not going too broad) several rules will be taken from trusted verified sources to ensure the rules are rich and efficient. Due to the advanced nature of malware nowadays and even some before, utilizing backed up and highly tested rules would be key, ensuring the process would not lead to any false positives or simply no alert. |
Beta Was this translation helpful? Give feedback.
-
|
CONTENT MOVED TO NEW REPOSITORY -> Access it here |
Beta Was this translation helpful? Give feedback.
-
This discussion will be focused on discussing current updates/tasks that I am doing related to the implementation of Yara rules for Ransomsniffer.
Besides code updates, I will also share here what is to come next, giving you all focused detection updates on my end
Beta Was this translation helpful? Give feedback.
All reactions