Collaborate Disseminate
I’ve run a malware ruleset from the Yara rules repository run on my Sys32 directory without -r and come across a lot of positives (+extra counts) for GLASSES and GLASSESCode
Most matches are with DirectX DLLs but I assume it’s just coincid… Continue reading False Positives for YARA rule
On August 31, 2021 we ran a joint webinar between VirusTotal and Kaspersky, with a focus on YARA rules best practices and real world examples. In this post, we answer your questions that we didn’t answer during webinar. Continue reading Applied YARA training Q&A
I published the following diary on isc.sans.edu: “Defenders, Know Your Operating System Like Attackers Do!“: Not a technical diary today but more a reflection… When I’m teaching FOR610, I always remind students to “RTFM” or “Read the F… Manual”. I mean to not hesitate to have a look at the
The post [SANS ISC] Defenders, Know Your Operating System Like Attackers Do! appeared first on /dev/random.
Continue reading [SANS ISC] Defenders, Know Your Operating System Like Attackers Do!
Stuck with this problem for some time now.
I am scanning a directory with my own yara rules, it works when I tried my code for a single file, but when I use the same code on a for loop, it doesn’t match anything.
I’ve tried searching my pr… Continue reading Scanning directory with YARA python
By Alex Kirk, Corelight Global Principal for Suricata Corelight recently teamed up with SOC Prime, creators of advanced cyber analytics platforms, to add support for the entire Zeek data set into Sigma, the only generic signature language that enables … Continue reading Zeek & Sigma: Fully Compatible for Cross-SIEM Detections
By Alex Kirk, Corelight Global Principal for Suricata Corelight recently teamed up with SOC Prime, creators of advanced cyber analytics platforms, to add support for the entire Zeek data set into Sigma, the only generic signature language that enables … Continue reading Zeek & Sigma: Fully Compatible for Cross-SIEM Detections
I’m building a malware scanner as a plugin for Wordpress and really want to know the best approaches for this problem.
Normally, for finding malware in my own server, I use YARA rules with my python script to scan all suspected directories… Continue reading How to integrate YARA rules into a WordPress plugin [closed]
I read in Peter Szor’s Art of Computer Virus Research and Defense that, in the past, a 16-byte malware signature was sufficient to 16-bit detect malware, but that longer signatures are necessary for 32-bit malware. I am wonde… Continue reading How long is a typical malware signature?
The rising tide of malware threats has created an arms race in security tool accumulation, this has led to alarm fatigue in terms of noisy alerts and false positives. The last thing you need is more false alarms coming from buggy or suboptimal YARA rul… Continue reading Test your YARA rules against a collection of goodware before releasing them in production
I would like to statically sign a malware, specifically MSIL Crypter, with a YARA rule. I want to sign specific functions (Assembly.Load for example) but I couldn’t find an informative documentation about how to disassemble a… Continue reading Disassembling a .NET manually