-
Notifications
You must be signed in to change notification settings - Fork 27
/
default_rules.go
42 lines (41 loc) · 9.3 KB
/
default_rules.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
package main
var defaultRulesets = [...]Ruleset{
Ruleset{Name: "BinSequencer", URL: "https://github.com/karttoon/binsequencer.git", Description: "Find a common pattern of bytes within a set of samples and generate a YARA rule from the identified pattern.", Enabled: true},
Ruleset{Name: "CAPE Rules", URL: "https://github.com/ctxis/CAPE.git", Description: "Rules from various authors bundled with the Config And Payload Extraction Cuckoo Sandbox extension (see next section).", Enabled: true},
Ruleset{Name: "CDI Rules", URL: "https://github.com/CyberDefenses/CDI_yara.git", Description: "Collection of YARA rules released by [CyberDefenses](https://cyberdefenses.com/blog/) for public use. Built from information in intelligence profiles, dossiers and file work.", Enabled: true},
Ruleset{Name: "Citizen Lab Malware Signatures", URL: "https://github.com/citizenlab/malware-signatures.git", Description: "YARA signatures developed by Citizen Lab. Dozens of signatures covering a variety of malware families. The also inclde a syntax file for Vim. Last update was in November of 2016.", Enabled: true},
Ruleset{Name: "ConventionEngine Rules", URL: "https://github.com/stvemillertime/ConventionEngine.git", Description: "A collection of Yara rules looking for PEs with PDB paths that have unique, unusual, or overtly malicious-looking keywords, terms, or other features.", Enabled: true},
Ruleset{Name: "Deadbits Rules", URL: "https://github.com/deadbits/yara-rules.git", Description: "A collection of YARA rules made public by [Adam Swanda](https://www.deadbits.org/), Splunk's Principal Threat Intel. Analyst, from his own recent malware research.", Enabled: true},
Ruleset{Name: "Didier Stevens Rules", URL: "https://github.com/DidierStevens/DidierStevensSuite.git", Description: "Collection of rules from Didier Stevens, author of a suite of tools for inspecting OLE/RTF/PDF. Didier's rules are worth scrutinizing and are generally written purposed towards hunting. New rules are frequently announced through the [NVISO Labs Blog](https://blog.nviso.be/).", Enabled: true},
Ruleset{Name: "ESET IOCs", URL: "https://github.com/eset/malware-ioc.git", Description: "Collection of YARA and Snort rules from IOCs collected by ESET researchers. There's about a dozen YARA Rules to glean from in this repo, search for file extension .yar. This repository is seemingly updated on a roughly monthly interval. New IOCs are often mentioned on the [ESET WeLiveSecurity Blog](https://www.welivesecurity.com/).", Enabled: true},
Ruleset{Name: "Fidelis Rules", URL: "https://github.com/fideliscyber/indicators.git", Description: "You can find a half dozen YARA rules in Fidelis Cyber's IOC repository. They update this repository on a roughly quarterly interval. Complete blog content is also available in this repository.", Enabled: true},
Ruleset{Name: "Florian Roth Rules", URL: "https://github.com/Neo23x0/signature-base.git", Description: "Florian Roth's signature base is a frequently updated collection of IOCs and YARA rules that cover a wide range of threats. There are dozens of rules which are actively maintained. Watch the repository to see rules evolve over time to address false potives / negatives.", Enabled: true},
Ruleset{Name: "Franke Boldewin Rules", URL: "https://github.com/fboldewin/YARA-rules.git", Description: "A collection of YARA Rules from [@r3c0nst](https://twitter.com/@r3c0nst).", Enabled: true},
Ruleset{Name: "FSF Rules", URL: "https://github.com/EmersonElectricCo/fsf.git", Description: "Mostly filetype detection rules, from the EmersonElectricCo FSF project (see next section).", Enabled: true},
Ruleset{Name: "GoDaddy ProcFilter Rules", URL: "https://github.com/godaddy/yara-rules.git", Description: "A couple dozen rules written and released by GoDaddy for use with ProcFilter (see next section). Example rules include detection for packers, mimikatz, and specific malware.", Enabled: true},
Ruleset{Name: "h3x2b Rules", URL: "https://github.com/h3x2b/yara-rules.git", Description: "Collection of signatures from h3x2b which stand out in that they are generic and can be used to assist in reverse engineering. There are YARA rules for identifying crypto routines, highly entropic sections (certificate discovery for example), discovering injection / hooking functionality, and more.", Enabled: true},
Ruleset{Name: "Icewater", URL: "https://github.com/SupportIntelligence/Icewater.git", Description: "Rules created by Icewater", Enabled: true},
Ruleset{Name: "InQuest Rules", URL: "https://github.com/InQuest/yara-rules.git", Description: "YARA rules published by InQuest researchers mostly geared towards threat hunting on Virus Total. Rules are updated as new samples are collected and novel pivots are discovered. The [InQuest Blog](http://blog.inquest.net) will often discuss new findings.", Enabled: true},
Ruleset{Name: "Intezer Rules", URL: "https://github.com/intezer/yara-rules.git", Description: "YARA rules published by Intezer Labs.", Enabled: true},
Ruleset{Name: "jeFF0Falltrades Rules", URL: "https://github.com/jeFF0Falltrades/YARA-Signatures.git", Description: "A collection of YARA signatures for various malware families.", Enabled: true},
Ruleset{Name: "kevthehermit Rules", URL: "https://github.com/kevthehermit/YaraRules.git", Description: "Dozens of rules from the personal collection of Kevin Breen. This repository hasn't been updated since February of 2016.", Enabled: true},
Ruleset{Name: "lw-yara", URL: "https://github.com/Hestat/lw-yara.git", Description: "Ruleset for scanning Linux servers for shells, spamming, phishing and other webserver baddies.", Enabled: true},
Ruleset{Name: "Malice.IO YARA Plugin Rules", URL: "https://github.com/malice-plugins/yara.git", Description: "Collection of topical from a variety of sources for the YARA component of the Malice.IO framework.", Enabled: true},
Ruleset{Name: "McAfee Advanced Threat Research IOCs", URL: "https://github.com/advanced-threat-research/IOCs.git", Description: "IOCs, including YARA rules, to accompany McAfee ATR's blog and other public posts.", Enabled: true},
Ruleset{Name: "NCC Group Rules", URL: "https://github.com/nccgroup/Cyber-Defence.git", Description: "A handful of YARA rules released by NCC Group's Cyber Defence team.", Enabled: true},
Ruleset{Name: "PasteHunter", URL: "https://github.com/kevthehermit/PasteHunter.git", Description: "Custom yara rules", Enabled: true},
Ruleset{Name: "Patrick Olsen Rules", URL: "https://github.com/prolsen/YaraRules.git", Description: "Small collection of rules with a wide footprint for variety in detection. RATs, documents, PCAPs, executables, in-memory, point-of-sale malware, and more. Unfortunately this repository hasn't seen an update since late 2014.", Enabled: true},
Ruleset{Name: "QuickSand Lite Rules", URL: "https://github.com/tylabs/quicksand_lite.git", Description: "This repo contains a C framework and standalone tool for malware analysis, along with several useful YARA rules developed for use with the project.", Enabled: true},
Ruleset{Name: "rastrea2r", URL: "https://github.com/rastrea2r/rastrea2r.git", Description: "Triage suspect systems and hunt for Indicators of Compromise (IOCs) across thousands of endpoints in minutes.", Enabled: true},
Ruleset{Name: "reversinglabs-yara-rules", URL: "https://github.com/reversinglabs/reversinglabs-yara-rules.git", Description: "Custom yara rules", Enabled: true},
Ruleset{Name: "Sophos AI YaraML Rules", URL: "https://github.com/inv-ds-research/yaraml_rules.git", Description: "A repository of Yara rules created automatically as translations of machine learning models. Each directory will have a rule and accompanying metadata: hashes of files used in training, and an accuracy diagram (a ROC curve).", Enabled: true},
Ruleset{Name: "SpiderLabs Rules", URL: "https://github.com/SpiderLabs/malware-analysis.git", Description: "Repository of tools and scripts related to malware analysis from the researchers at SpiderLabs. There's only three YARA rules here and the last update was back in 2015, but worth exploring.", Enabled: true},
Ruleset{Name: "Tenable Rules", URL: "https://github.com/tenable/yara-rules.git", Description: "Small collection from Tenable Network Security.", Enabled: true},
Ruleset{Name: "TjadaNel Rules", URL: "https://github.com/tjadanel/yara_repo.git", Description: "Small collection of malware rules.", Enabled: true},
Ruleset{Name: "VectraThreatLab Rules", URL: "https://github.com/VectraThreatLab/reyara.git", Description: "YARA rules for identifying anti-RE malware techniques.", Enabled: true},
Ruleset{Name: "x64dbg Signatures", URL: "https://github.com/x64dbg/yarasigs.git", Description: "Collection of interesting packer, compiler, and crypto identification signatures.", Enabled: true},
Ruleset{Name: "yara-forensics", URL: "https://github.com/Xumeiquer/yara-forensics.git", Description: "Set of Yara rules for finding files using magics headers", Enabled: true},
Ruleset{Name: "yara-rules", URL: "https://github.com/Yara-Rules/rules", Description: "Community project with YARA rules", Enabled: true},
Ruleset{Name: "Yara-Unprotect", URL: "https://github.com/fr0gger/Yara-Unprotect.git", Description: "Rules created for the Unprotect Project for detecting malware evasion techniques.", Enabled: true},
Ruleset{Name: "yara4pentesters", URL: "https://github.com/DiabloHorn/yara4pentesters.git", Description: "Rules to identify files containing juicy information like usernames, passwords etc.", Enabled: true},
}