diff --git a/src/plugins/analysis/software_components/signatures/00_meta_filter.yara b/src/plugins/analysis/software_components/signatures/00_meta_filter.yara index bc26e06e4..ab66d1602 100644 --- a/src/plugins/analysis/software_components/signatures/00_meta_filter.yara +++ b/src/plugins/analysis/software_components/signatures/00_meta_filter.yara @@ -2,11 +2,11 @@ import "magic" private rule no_text_file { - meta: - software_name = "magic" - open_source = true - website = "https://www.fkie.fraunhofer.de/" - description = "no text_file_rule" - condition: - (magic.mime_type() != "text/plain" and magic.mime_type() != "text/html") or test_flag + meta: + software_name = "magic" + open_source = true + website = "https://www.fkie.fraunhofer.de/" + description = "no text_file_rule" + condition: + (magic.mime_type() != "text/plain" and magic.mime_type() != "text/html") or test_flag } diff --git a/src/plugins/analysis/software_components/signatures/bootloader.yara b/src/plugins/analysis/software_components/signatures/bootloader.yara index 0ad4f3b68..46a720630 100644 --- a/src/plugins/analysis/software_components/signatures/bootloader.yara +++ b/src/plugins/analysis/software_components/signatures/bootloader.yara @@ -1,10 +1,10 @@ rule UBoot { - meta: - software_name = "U-Boot" - open_source = true - website = "http://www.denx.de/wiki/U-Boot" - description = "The Universal Boot Loader" + meta: + software_name = "U-Boot" + open_source = true + website = "http://www.denx.de/wiki/U-Boot" + description = "The Universal Boot Loader" strings: $a = /U-Boot \d+\.\d+\.\d+/ nocase ascii wide condition: diff --git a/src/plugins/analysis/software_components/signatures/crypto.yara b/src/plugins/analysis/software_components/signatures/crypto.yara index 145bab09d..3f90b8453 100644 --- a/src/plugins/analysis/software_components/signatures/crypto.yara +++ b/src/plugins/analysis/software_components/signatures/crypto.yara @@ -1,11 +1,56 @@ +rule CryptoPP { + meta: + software_name = "Crypto++" + open_source = true + website = "https://www.cryptopp.com/" + description ="Free C++ library for cryptographic schemes library" + strings: + $a = "this object doesn't support resynchronization" + $b = "Clone() is not implemented yet." + $c = "CryptoMaterial: this object does not support precomputation" + $d = "BufferedTransformation: this object doesn't allow input" + $e = "StreamTransformation: this object doesn't support random access" + $f = "BaseN_Encoder: Log2Base must be between 1 and 7 inclusive" + $g = "RandomNumberGenerator: IncorporateEntropy not implemented" + $h = "block size of underlying block cipher is not 16" + $i = "DigestSize must be 4, 6, 8, 10, 12, 14, or 16" + condition: + 3 of them +} + +rule LibreSSL { + meta: + software_name = "LibreSSL" + open_source = true + website = "https://www.libressl.org/" + description ="LibreSSL is a version of the TLS/crypto stack forked from OpenSSL in 2014" + strings: + $a = /LibreSSL \d\.\d{1,2}\.\d{1,2}/ + condition: + $a and no_text_file +} + +rule Mbed_TLS { + meta: + software_name = "Mbed TLS" + open_source = true + website = "https://www.trustedfirmware.org/projects/mbed-tls/" + description ="C library implementing cryptographic primitives and protocols (formerly known as PolarSSL)" + strings: + // fixme: it is possible to build a smaller variant of the library without this string + $a = /([Mm]bed TLS|PolarSSL) \d\.\d{1,2}\.\d{1,2}/ + condition: + $a and no_text_file +} + rule OpenSSL { - meta: - software_name = "OpenSSL" - open_source = true - website = "https://www.openssl.org" - description ="SSL library" - version_regex = "\\d\\.\\d\\.\\d[a-z]{0,2}" + meta: + software_name = "OpenSSL" + open_source = true + website = "https://www.openssl.org" + description ="SSL library" + version_regex = "\\d\\.\\d\\.\\d[a-z]{0,2}" strings: $a = /OpenSSL( \d+\.\d+\.\d+[a-z]?)?/ nocase ascii wide condition: @@ -14,14 +59,31 @@ rule OpenSSL rule SSLeay { - meta: - software_name = "SSLeay" - open_source = true - website = "https://en.wikipedia.org/wiki/SSLeay" - description ="SSL library" + meta: + software_name = "SSLeay" + open_source = true + website = "https://en.wikipedia.org/wiki/SSLeay" + description = "SSL library" strings: $a = /SSLeay \d+\.\d+\.\d+[a-z]?/ nocase ascii wide condition: $a and no_text_file } +rule wolfSSL { + meta: + software_name = "wolfSSL" + open_source = true + website = "https://www.wolfssl.com/" + description ="Embedded SSL/TLS Library (formerly CyaSSL)" + _version_function = "wolfSSL_lib_version" + strings: + // the function which yields the version as string (available since version 3.6.0) + $a = "wolfSSL_lib_version" + // error strings (should be in all versions) + $b = "handshake layer not ready yet, complete first" + $c = "non-blocking socket wants data to be read" + $d = "error during rsa priv op" + condition: + $a or ($b and $c and $d) and no_text_file +} diff --git a/src/plugins/analysis/software_components/signatures/database.yara b/src/plugins/analysis/software_components/signatures/database.yara index 267c0c4b5..7c58766ca 100644 --- a/src/plugins/analysis/software_components/signatures/database.yara +++ b/src/plugins/analysis/software_components/signatures/database.yara @@ -1,16 +1,29 @@ rule sqlite3 { - meta: - software_name = "SQLite" - open_source = true - website = "https://sqlite.org/index.html" - description = "a small fast SQL database engine" - format_string = true - version_regex = "\\d\\.\\d+\\.\\d+\\.?\\d?" - strings: - $a = "SQLite version %s" ascii - $b = /SQLite version \d\.\d+\.\d+(\.\d)?/ ascii - $c = /libsqlite3\-\d\.\d+\.\d+(\.\d)?\.so/ ascii - condition: - ($a or $b or $c) and no_text_file + meta: + software_name = "SQLite" + open_source = true + website = "https://sqlite.org/index.html" + description = "a small fast SQL database engine" + format_string = true + version_regex = "\\d\\.\\d+\\.\\d+\\.?\\d?" + strings: + $a = "SQLite version %s" ascii + $b = /SQLite version \d\.\d+\.\d+(\.\d)?/ ascii + $c = /libsqlite3\-\d\.\d+\.\d+(\.\d)?\.so/ ascii + condition: + ($a or $b or $c) and no_text_file +} + +rule postgres { + meta: + software_name = "PostgreSQL" + open_source = true + website = "https://www.postgresql.org/" + description = "a powerful object-relational database system" + strings: + $a = /\(PostgreSQL\) \d{1,2}\.\d{1,2}\.?\d{0,2}[a-z]{0,5}/ + $b = /PostgreSQL \d{1,2}\.\d{1,2}\.?\d{0,2}[a-z]{0,5} on [^ ,]+/ + condition: + ($a or $b) and no_text_file } diff --git a/src/plugins/analysis/software_components/signatures/http_server.yara b/src/plugins/analysis/software_components/signatures/http_server.yara index b45eb0b0b..3b0ba9057 100644 --- a/src/plugins/analysis/software_components/signatures/http_server.yara +++ b/src/plugins/analysis/software_components/signatures/http_server.yara @@ -1,65 +1,65 @@ rule lighttpd { - meta: - software_name = "lighttpd" - open_source = true - website = "https://www.lighttpd.net/" - description = "Lighttpd is a web-server optimized for low memory and cpu usage." - strings: - $a = /lighttpd[-\/]\d+\.\d+\.\d+/ ascii - condition: - $a and no_text_file + meta: + software_name = "lighttpd" + open_source = true + website = "https://www.lighttpd.net/" + description = "Lighttpd is a web-server optimized for low memory and cpu usage." + strings: + $a = /lighttpd[-\/]\d+\.\d+\.\d+/ ascii + condition: + $a and no_text_file } rule GoAhead { - meta: - software_name = "GoAhead" - open_source = true - website = "http://embedthis.com/goahead/" - description = "Web-Server" - strings: - $a = /GoAhead-Webs/ nocase ascii wide - condition: - $a and no_text_file + meta: + software_name = "GoAhead" + open_source = true + website = "http://embedthis.com/goahead/" + description = "Web-Server" + strings: + $a = /GoAhead-Webs/ nocase ascii wide + condition: + $a and no_text_file } rule mini_httpd { - meta: - software_name = "mini_httpd" - open_source = true - website = "https://acme.com" - description = "small HTTP server" - strings: - $a = /mini_httpd\/\d\.\d+ \d{2}[a-z]{3}\d{4}/ ascii wide - condition: - $a and no_text_file + meta: + software_name = "mini_httpd" + open_source = true + website = "https://acme.com" + description = "small HTTP server" + strings: + $a = /mini_httpd\/\d\.\d+ \d{2}[a-z]{3}\d{4}/ ascii wide + condition: + $a and no_text_file } rule nginx { - meta: - software_name = "nginx" - open_source = true - website = "https://www.nginx.com/" - description = "Web-Server" - strings: - $a = /nginx version: nginx\/\d+\.\d+\.\d+/ nocase ascii wide - condition: - $a and no_text_file + meta: + software_name = "nginx" + open_source = true + website = "https://www.nginx.com/" + description = "Web-Server" + strings: + $a = /nginx version: nginx\/\d+\.\d+\.\d+/ nocase ascii wide + condition: + $a and no_text_file } rule eCosWebServer { - meta: - software_name = "eCos Embedded Web Server" - open_source = true - website = "https://www.ecoscentric.com" - description = "Web-Server" - format_string = true - strings: - $a = "eCos Embedded Web Server" nocase ascii wide - $b = "Server: %s" nocase ascii wide - condition: - $a and $b and no_text_file + meta: + software_name = "eCos Embedded Web Server" + open_source = true + website = "https://www.ecoscentric.com" + description = "Web-Server" + format_string = true + strings: + $a = "eCos Embedded Web Server" nocase ascii wide + $b = "Server: %s" nocase ascii wide + condition: + $a and $b and no_text_file } diff --git a/src/plugins/analysis/software_components/signatures/kernel_modules.yara b/src/plugins/analysis/software_components/signatures/kernel_modules.yara index d917cdbf4..f21cd68bb 100644 --- a/src/plugins/analysis/software_components/signatures/kernel_modules.yara +++ b/src/plugins/analysis/software_components/signatures/kernel_modules.yara @@ -1,10 +1,10 @@ rule NetUSB { - meta: - software_name = "KCodes NetUSB" - open_source = false - website = "https://www.kcodes.com" - description = "Kernel module for USB over IP" + meta: + software_name = "KCodes NetUSB" + open_source = false + website = "https://www.kcodes.com" + description = "Kernel module for USB over IP" strings: $a = "KC NetUSB General Driver" $b = "NetUSB module for Linux" diff --git a/src/plugins/analysis/software_components/signatures/lib.yara b/src/plugins/analysis/software_components/signatures/lib.yara index 0b64440df..28264d0dc 100644 --- a/src/plugins/analysis/software_components/signatures/lib.yara +++ b/src/plugins/analysis/software_components/signatures/lib.yara @@ -1,10 +1,22 @@ +rule libarchive { + meta: + software_name = "libarchive" + open_source = true + website = "https://www.libarchive.org/" + description = "Multi-format archive and compression library" + strings: + $a = /libarchive[\/ ]\d\.\d+\.\d+/ + condition: + $a and no_text_file +} + rule libFLAC { - meta: - software_name = "libFLAC" - open_source = true - website = "https://xiph.org/flac/" - description = "Free Lossless Audio Codec multimedia library." + meta: + software_name = "libFLAC" + open_source = true + website = "https://xiph.org/flac/" + description = "Free Lossless Audio Codec multimedia library." strings: $a = /libFLAC \d+\.\d+\.\d+/ nocase ascii wide condition: @@ -12,12 +24,12 @@ rule libFLAC } rule liblzma { - meta: - software_name = "xz" - open_source = true - website = "https://tukaani.org/xz/" - description = "XZ-format compression library" - _version_function = "lzma_version_string" + meta: + software_name = "xz" + open_source = true + website = "https://tukaani.org/xz/" + description = "XZ-format compression library" + _version_function = "lzma_version_string" strings: $a = "lzma_version_number" $b = "lzma_version_string" @@ -27,11 +39,11 @@ rule liblzma { rule libogg { - meta: - software_name = "libogg" - open_source = true - website = "https://xiph.org/ogg/" - description = "ogg multimedia file parsing library." + meta: + software_name = "libogg" + open_source = true + website = "https://xiph.org/ogg/" + description = "ogg multimedia file parsing library." strings: $a = /libogg-\d+\.\d+\.\d+/ nocase ascii wide condition: @@ -40,24 +52,36 @@ rule libogg rule libVorbis { - meta: - software_name = "libVorbis" - open_source = true - website = "https://xiph.org/vorbis/" - description = "ogg vorbis compressed audio format library." + meta: + software_name = "libVorbis" + open_source = true + website = "https://xiph.org/vorbis/" + description = "ogg vorbis compressed audio format library." strings: $a = /libVorbis \d+\.\d+\.\d+/ nocase ascii wide condition: $a and no_text_file } +rule libsoup { + meta: + software_name = "libsoup" + open_source = true + website = "https://libsoup.gnome.org/libsoup-3.0/index.html" + description = "HTTP client/server library" + strings: + $a = /libsoup\/\d\.\d+\.\d+/ + condition: + $a and no_text_file +} + rule PH7 { - meta: - software_name = "PH7" - open_source = true - website = "http://ph7.symisc.net/" - description = "Byte code compiler and virtual machine for PHP" + meta: + software_name = "PH7" + open_source = true + website = "http://ph7.symisc.net/" + description = "Byte code compiler and virtual machine for PHP" strings: $a = /PH7\/\d+\.\d+\.\d+/ nocase ascii wide condition: @@ -66,26 +90,26 @@ rule PH7 rule FileX { - meta: - software_name = "FileX" - open_source = false - website = "https://rtos.com/solutions/threadx/real-time-operating-system/" - description = "FAT filesystem implementation for ThreadX RTOS" - strings: - $a = /FileX [a-z\/ 1-9_]+ [a-z]?\d+\.\d+(\.\d+)?(\.\d+)?/ nocase ascii wide - condition: - $a and no_text_file + meta: + software_name = "FileX" + open_source = false + website = "https://rtos.com/solutions/threadx/real-time-operating-system/" + description = "FAT filesystem implementation for ThreadX RTOS" + strings: + $a = /FileX [a-z\/ 1-9_]+ [a-z]?\d+\.\d+(\.\d+)?(\.\d+)?/ nocase ascii wide + condition: + $a and no_text_file } rule liblua { - meta: - software_name = "Lua" - open_source = true - website = "https://www.lua.org/" - description = "Shared library for the Lua interpreter" - strings: - $a = /Lua: Lua \d\.\d+(\.\d+)? Copyright \(C\) 1994-\d+/ nocase ascii wide - condition: - $a and no_text_file + meta: + software_name = "Lua" + open_source = true + website = "https://www.lua.org/" + description = "Shared library for the Lua interpreter" + strings: + $a = /Lua: Lua \d\.\d+(\.\d+)? Copyright \(C\) 1994-\d+/ nocase ascii wide + condition: + $a and no_text_file } diff --git a/src/plugins/analysis/software_components/signatures/network.yara b/src/plugins/analysis/software_components/signatures/network.yara index 3f1d9c7c0..d7f0d6817 100644 --- a/src/plugins/analysis/software_components/signatures/network.yara +++ b/src/plugins/analysis/software_components/signatures/network.yara @@ -1,10 +1,23 @@ +rule aMule { + meta: + software_name = "aMule" + open_source = true + website = "https://www.amule.org/" + description = "all-platform eMule-like P2P client" + format_string = true + strings: + $a = "aMule Version: %s" + condition: + $a and no_text_file +} + rule avahi { - meta: - software_name = "Avahi" - open_source = true - website = "http://www.avahi.org/" - description = "Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite." + meta: + software_name = "Avahi" + open_source = true + website = "http://www.avahi.org/" + description = "Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite." strings: $a = /avahi-\d+\.\d+\.\d+/ nocase ascii wide condition: @@ -13,11 +26,11 @@ rule avahi rule Bftpd { - meta: - software_name = "Bftpd" - open_source = true - website = "http://bftpd.sourceforge.net/" - description = "FTP Server" + meta: + software_name = "Bftpd" + open_source = true + website = "http://bftpd.sourceforge.net/" + description = "FTP Server" strings: $a = /bftpd-V\d+\.\d+/ nocase ascii wide condition: @@ -26,11 +39,11 @@ rule Bftpd rule cadaver { - meta: - software_name = "cadaver" - open_source = true - website = "http://www.webdav.org/cadaver/" - description = "WebDAV client" + meta: + software_name = "cadaver" + open_source = true + website = "http://www.webdav.org/cadaver/" + description = "WebDAV client" strings: $a = /cadaver \d+\.\d+\.\d+/ nocase ascii wide condition: @@ -39,11 +52,11 @@ rule cadaver rule CUPS { - meta: - software_name = "CUPS" - open_source = true - website = "http://www.cups.org/" - description = "Print server" + meta: + software_name = "CUPS" + open_source = true + website = "http://www.cups.org/" + description = "Print server" strings: $a = /CUPS v\d+\.\d+\.\d+/ nocase ascii wide $b = /cups-\d+\.\d+\.\d+/ nocase ascii wide @@ -53,11 +66,11 @@ rule CUPS rule curl { - meta: - software_name = "curl" - open_source = true - website = "https://curl.haxx.se/" - description = "command line network client" + meta: + software_name = "curl" + open_source = true + website = "https://curl.haxx.se/" + description = "command line network client" strings: $a = /curl\/\d+\.\d+\.\d+/ nocase ascii wide condition: @@ -66,54 +79,54 @@ rule curl rule dhcp6c { - meta: - software_name = "dhcp6c" - open_source = true - website = "https://fedorahosted.org/dhcpv6/" - description = "DHCP Client Daemon for IPv6" + meta: + software_name = "dhcp6c" + open_source = true + website = "https://fedorahosted.org/dhcpv6/" + description = "DHCP Client Daemon for IPv6" strings: $a = /dhcp6c-V\d+\.\d+/ nocase ascii wide condition: - $a and no_text_file + $a and no_text_file } rule dhcp6s { - meta: - software_name = "dhcp6s" - open_source = true - website = "https://fedorahosted.org/dhcpv6/" - description = "DHCP Server Daemon for IPv6" + meta: + software_name = "dhcp6s" + open_source = true + website = "https://fedorahosted.org/dhcpv6/" + description = "DHCP Server Daemon for IPv6" strings: $a = /dhcp6s-V\d+\.\d+/ nocase ascii wide condition: - $a and no_text_file + $a and no_text_file } rule dnsmasq { - meta: - software_name = "Dnsmasq" - open_source = true - website = "http://www.thekelleys.org.uk/dnsmasq/doc.html" - description = "DNS and DHCP Server" - format_string = true - strings: - $a = /dnsmasq-\d+\.\d+/ nocase ascii wide - $b = "dnsmasq-%s" - $c = "dnsmasq version %s" - condition: - ($a or $b or $c) and no_text_file + meta: + software_name = "Dnsmasq" + open_source = true + website = "http://www.thekelleys.org.uk/dnsmasq/doc.html" + description = "DNS and DHCP Server" + format_string = true + strings: + $a = /dnsmasq-\d+\.\d+/ nocase ascii wide + $b = "dnsmasq-%s" + $c = "dnsmasq version %s" + condition: + ($a or $b or $c) and no_text_file } rule Dropbear { - meta: - software_name = "Dropbear SSH" - open_source = true - website = "https://matt.ucc.asn.au/dropbear/dropbear.html" - description = "SSH Server and Client" - format_string = true + meta: + software_name = "Dropbear SSH" + open_source = true + website = "https://matt.ucc.asn.au/dropbear/dropbear.html" + description = "SSH Server and Client" + format_string = true strings: $a = /dropbear_\d+\.\d+/ nocase ascii $b = "Dropbear SSH client v%s" ascii @@ -126,11 +139,11 @@ rule Dropbear { rule FRRouting { - meta: - software_name = "FRRouting" - open_source = true - website = "https://frrouting.org/" - description = "A free and open source Internet routing protocol suite" + meta: + software_name = "FRRouting" + open_source = true + website = "https://frrouting.org/" + description = "A free and open source Internet routing protocol suite" strings: $a = /FRRouting \d+\.\d+\.\d+/ nocase ascii wide condition: @@ -139,11 +152,11 @@ rule FRRouting rule hostapd { - meta: - software_name = "hostapd" - open_source = true - website = "https://w1.fi/hostapd/" - description = "hostapd is a user space daemon for access point and authentication servers." + meta: + software_name = "hostapd" + open_source = true + website = "https://w1.fi/hostapd/" + description = "hostapd is a user space daemon for access point and authentication servers." strings: $a = /hostapd v\d+\.\d+(\.\d+)?/ nocase ascii wide condition: @@ -152,11 +165,11 @@ rule hostapd rule iptables { - meta: - software_name = "iptables" - open_source = true - website = "http://www.netfilter.org/projects/iptables/index.html" - description = "iptables is the userspace command line program used to configure the Linux 2.4.x and later packet filtering ruleset." + meta: + software_name = "iptables" + open_source = true + website = "http://www.netfilter.org/projects/iptables/index.html" + description = "iptables is the userspace command line program used to configure the Linux 2.4.x and later packet filtering ruleset." strings: $a = /iptables-\d+\.\d+\.\d+(\.\d+)?/ nocase ascii wide condition: @@ -165,11 +178,11 @@ rule iptables rule l2tpd { - meta: - software_name = "l2tpd" - open_source = true - website = "http://l2tpd.sourceforge.net/" - description = "the original Layer 2 Tunnelling Protocol Daemon" + meta: + software_name = "l2tpd" + open_source = true + website = "http://l2tpd.sourceforge.net/" + description = "the original Layer 2 Tunnelling Protocol Daemon" strings: $a = /l2tpd version 0.\d+/ ascii condition: @@ -178,63 +191,63 @@ rule l2tpd rule libpcap { - meta: - software_name = "libpcap" - open_source = true - website = "http://www.tcpdump.org/" - description = "Library for network traffic capturing" - strings: - $a = /libpcap version \d+\.\d+.\d+/ nocase ascii wide - condition: - $a and no_text_file + meta: + software_name = "libpcap" + open_source = true + website = "http://www.tcpdump.org/" + description = "Library for network traffic capturing" + strings: + $a = /libpcap version \d+\.\d+.\d+/ nocase ascii wide + condition: + $a and no_text_file } rule libupnp { - meta: - software_name = "libupnp" - open_source = true - website = "http://pupnp.sourceforge.net" - description = "Portable upnp library" - strings: - $a = /libupnp-\d+\.\d+.\d+/ nocase ascii wide - condition: - $a and no_text_file + meta: + software_name = "libupnp" + open_source = true + website = "http://pupnp.sourceforge.net" + description = "Portable upnp library" + strings: + $a = /libupnp-\d+\.\d+.\d+/ nocase ascii wide + condition: + $a and no_text_file } rule MiniUPnP { - meta: - software_name = "MiniUPnP" - open_source = true - website = "http://miniupnp.free.fr/" - description = "UPnP Software" - strings: - $a = /MiniUPNP \d+\.\d+/ nocase ascii wide - condition: - $a and no_text_file + meta: + software_name = "MiniUPnP" + open_source = true + website = "http://miniupnp.free.fr/" + description = "UPnP Software" + strings: + $a = /MiniUPNP \d+\.\d+/ nocase ascii wide + condition: + $a and no_text_file } rule netatalk { - meta: - software_name = "Netatalk" - open_source = true - website = "http://netatalk.sourceforge.net/" - description = "AFP fileserver" - strings: - $a = /netatalk-\d+.\d+.\d+/ nocase ascii wide - condition: - $a and no_text_file + meta: + software_name = "Netatalk" + open_source = true + website = "http://netatalk.sourceforge.net/" + description = "AFP fileserver" + strings: + $a = /netatalk-\d+.\d+.\d+/ nocase ascii wide + condition: + $a and no_text_file } rule NicheStack { - meta: - software_name = "NicheStack" - open_source = false - website = "http://www.iniche.com/source-code/networking-stack/nichestack.php" - description = "embedded TCP/IP stack from InterNiche" + meta: + software_name = "NicheStack" + open_source = false + website = "http://www.iniche.com/source-code/networking-stack/nichestack.php" + description = "embedded TCP/IP stack from InterNiche" strings: $a = /InterNiche Portable TCP\/IP[a-zA-Z ]{,30}, v\d(\.\d)?/ condition: @@ -243,11 +256,11 @@ rule NicheStack rule netcat_traditional { - meta: - software_name = "netcat-traditional" - open_source = true - website = "https://nc110.sourceforge.io/" - description = "TCP/IP swiss army knife" + meta: + software_name = "netcat-traditional" + open_source = true + website = "https://nc110.sourceforge.io/" + description = "TCP/IP swiss army knife" strings: $a = "nc -h for help" $b = /\[v1.\d+-?\d*\.?\d*]/ @@ -257,11 +270,11 @@ rule netcat_traditional rule NTP { - meta: - software_name = "NTP" - open_source = true - website = "http://www.ntp.org/" - description = "NTP is a protocol designed to synchronize the clocks of computers over a network" + meta: + software_name = "NTP" + open_source = true + website = "http://www.ntp.org/" + description = "NTP is a protocol designed to synchronize the clocks of computers over a network" strings: $a = /NTP daemon program - Ver. \d+\.\d+\.\d+p?\d*/ $b = /ntpd \d+.\d+.\d+p?\d*/ @@ -271,11 +284,11 @@ rule NTP rule OpenSSH { - meta: - software_name = "OpenSSH" - open_source = true - website = "http://www.openssh.com" - description = "SSH library" + meta: + software_name = "OpenSSH" + open_source = true + website = "http://www.openssh.com" + description = "SSH library" strings: $a = /OpenSSH(_\d+\.\d+(\.\d)?(p\d)?[ \x00])?/ nocase ascii wide condition: @@ -284,25 +297,25 @@ rule OpenSSH rule OpenVPN { - meta: - software_name = "OpenVPN" - open_source = true - website = "https://pupnp.sourceforge.io" - description = "open source virtual private network (VPN) system" - strings: - $a = /OpenVPN \d\.\d+(\.\d+) .{0,100}built on/ - condition: - $a + meta: + software_name = "OpenVPN" + open_source = true + website = "https://pupnp.sourceforge.io" + description = "open source virtual private network (VPN) system" + strings: + $a = /OpenVPN \d\.\d+(\.\d+) .{0,100}built on/ + condition: + $a } rule pppd_format_string { meta: software_name = "Point-to-Point Protocol daemon" - open_source = true - website = "https://ppp.samba.org/" - description = "ppp (Paul's PPP Package) is an open source package which implements the Point-to-Point Protocol (PPP) on Linux and Solaris systems." - format_string = true + open_source = true + website = "https://ppp.samba.org/" + description = "ppp (Paul's PPP Package) is an open source package which implements the Point-to-Point Protocol (PPP) on Linux and Solaris systems." + format_string = true strings: $a = "pppd %s started by %s, uid %d" $b = "pppd version %s" @@ -314,11 +327,11 @@ rule pppd_format_string rule pptpClient { - meta: - software_name = "pptp-client" - open_source = true - website = "http://pptpclient.sourceforge.net/" - description = "PPTP Client is a Linux, FreeBSD, NetBSD and OpenBSD client for the proprietary Microsoft Point-to-Point Tunneling Protocol, PPTP." + meta: + software_name = "pptp-client" + open_source = true + website = "http://pptpclient.sourceforge.net/" + description = "PPTP Client is a Linux, FreeBSD, NetBSD and OpenBSD client for the proprietary Microsoft Point-to-Point Tunneling Protocol, PPTP." strings: $a = /pptp version \d+\.\d+\.\d/ nocase ascii wide condition: @@ -327,11 +340,11 @@ rule pptpClient rule ProFTPD { - meta: - software_name = "ProFTPD" - open_source = true - website = "http://www.proftpd.org/" - description = "Highly configurable FTP Server" + meta: + software_name = "ProFTPD" + open_source = true + website = "http://www.proftpd.org/" + description = "Highly configurable FTP Server" strings: $a = /ProFTPD \d+\.\d+\.\d+/ nocase ascii wide condition: @@ -340,11 +353,11 @@ rule ProFTPD rule Pure_FTPd { - meta: - software_name = "Pure-FTPd" - open_source = true - website = "https://www.pureftpd.org/" - description = "free (BSD), secure, production-quality and standard-conformant FTP server" + meta: + software_name = "Pure-FTPd" + open_source = true + website = "https://www.pureftpd.org/" + description = "free (BSD), secure, production-quality and standard-conformant FTP server" strings: $a = /pure-ftpd v\d\.\d+\.\d+(\-\d)?/ ascii condition: @@ -353,11 +366,11 @@ rule Pure_FTPd rule Quagga { - meta: - software_name = "Quagga" - open_source = true - website = "https://www.quagga.net/" - description = "network routing software suite (fork of Zebra)" + meta: + software_name = "Quagga" + open_source = true + website = "https://www.quagga.net/" + description = "network routing software suite (fork of Zebra)" strings: $a = /Hello, this is Quagga \(version .+\)./ nocase ascii wide condition: @@ -366,55 +379,55 @@ rule Quagga rule radvd { - meta: - software_name = "radvd" - open_source = true - website = "http://www.litech.org/radvd/" - description = "IPv6 Router Advertisement Daemon" - strings: - $a = /radvd-\d+\.\d+/ nocase ascii wide - condition: - $a and no_text_file + meta: + software_name = "radvd" + open_source = true + website = "http://www.litech.org/radvd/" + description = "IPv6 Router Advertisement Daemon" + strings: + $a = /radvd-\d+\.\d+/ nocase ascii wide + condition: + $a and no_text_file } rule radvd_format_string { - meta: - software_name = "radvd" - open_source = true - website = "http://www.litech.org/radvd/" - description = "IPv6 Router Advertisement Daemon" - format_string = true - strings: - $a = "radvd already running, terminating." + meta: + software_name = "radvd" + open_source = true + website = "http://www.litech.org/radvd/" + description = "IPv6 Router Advertisement Daemon" + format_string = true + strings: + $a = "radvd already running, terminating." $b = "version %s started" $c = "Version: %s" - condition: + condition: $a and ($b or $c) and no_text_file } rule readymedia { - meta: - software_name = "ReadyMedia (minidlna)" - open_source = true - website = "http://sourceforge.net/projects/minidlna/" - description = "ReadyMedia is a simple media server software" - strings: - $a = /ReadyDLNA \d+\.\d+\.\d+/ nocase ascii wide - condition: - $a and no_text_file + meta: + software_name = "ReadyMedia (minidlna)" + open_source = true + website = "http://sourceforge.net/projects/minidlna/" + description = "ReadyMedia is a simple media server software" + strings: + $a = /ReadyDLNA \d+\.\d+\.\d+/ nocase ascii wide + condition: + $a and no_text_file } rule RP_L2TP { - meta: - software_name = "RP-L2TP" - open_source = true - website = "https://sourceforge.net/projects/rp-l2tp/" - description = "user-space implementation of L2TP for Linux and other UNIX systems" - format_string = true - version_regex = "0\\.\\d" + meta: + software_name = "RP-L2TP" + open_source = true + website = "https://sourceforge.net/projects/rp-l2tp/" + description = "user-space implementation of L2TP for Linux and other UNIX systems" + format_string = true + version_regex = "0\\.\\d" strings: $a = /l2tpd Version %s Copyright \d+ Roaring Penguin/ ascii condition: @@ -423,76 +436,76 @@ rule RP_L2TP rule samba { - meta: - software_name = "Samba" - open_source = true - website = "https://www.samba.org/" - description = "Samba is the standard Windows interoperability suite of programs for Linux and Unix." - strings: - $a = /samba-\d+.\d+.\d+/ nocase ascii wide - condition: - $a and no_text_file + meta: + software_name = "Samba" + open_source = true + website = "https://www.samba.org/" + description = "Samba is the standard Windows interoperability suite of programs for Linux and Unix." + strings: + $a = /samba-\d+.\d+.\d+/ nocase ascii wide + condition: + $a and no_text_file } rule squid { - meta: - software_name = "Squid" - open_source = true - website = "http://www.squid-cache.org/" - description = "Squid is a full-featured HTTP proxy cache" - strings: - $a = /squid\/\d+.\d+.\d+/ nocase ascii wide - condition: - $a and no_text_file + meta: + software_name = "Squid" + open_source = true + website = "http://www.squid-cache.org/" + description = "Squid is a full-featured HTTP proxy cache" + strings: + $a = /squid\/\d+.\d+.\d+/ nocase ascii wide + condition: + $a and no_text_file } rule strongSwan { - meta: - software_name = "strongSwan" - open_source = true - website = "https://www.strongswan.org/" - description = "OpenSource IPsec-based VPN Solution" - strings: - $a = /strongSwan \d+.\d+.\d+/ nocase ascii wide - condition: - $a and no_text_file + meta: + software_name = "strongSwan" + open_source = true + website = "https://www.strongswan.org/" + description = "OpenSource IPsec-based VPN Solution" + strings: + $a = /strongSwan \d+.\d+.\d+/ nocase ascii wide + condition: + $a and no_text_file } rule telnetd { - meta: - software_name = "telnetd" - open_source = true - website = "https://www.gnu.org/software/inetutils/" - description = "DARPA TELNET protocol server (part of GNU network utilities)" - strings: - $a = /telnetd-V\d+\.\d+/ nocase ascii wide - condition: - $a and no_text_file + meta: + software_name = "telnetd" + open_source = true + website = "https://www.gnu.org/software/inetutils/" + description = "DARPA TELNET protocol server (part of GNU network utilities)" + strings: + $a = /telnetd-V\d+\.\d+/ nocase ascii wide + condition: + $a and no_text_file } rule tinyproxy { - meta: - software_name = "tinyproxy" - open_source = true - website = "http://tinyproxy.github.io/" - description = "lightweight http(s) proxy daemon" - strings: - $a = /(Proxy-agent|Server): tinyproxy\/\d\.\d+\.\d+(pre\d|rc\d|-rc\d)?/ ascii - condition: - $a and no_text_file + meta: + software_name = "tinyproxy" + open_source = true + website = "http://tinyproxy.github.io/" + description = "lightweight http(s) proxy daemon" + strings: + $a = /(Proxy-agent|Server): tinyproxy\/\d\.\d+\.\d+(pre\d|rc\d|-rc\d)?/ ascii + condition: + $a and no_text_file } rule udhcp { - meta: - software_name = "udhcp" - open_source = true - website = "https://busybox.net/" - description = "udhcp is a lightweight dhcp server/client. It is part of Busybox by now." + meta: + software_name = "udhcp" + open_source = true + website = "https://busybox.net/" + description = "udhcp is a lightweight dhcp server/client. It is part of Busybox by now." strings: $a = /udhcp \d+\.\d+\.\d+/ nocase ascii wide condition: @@ -501,25 +514,25 @@ rule udhcp rule upnp_portable_sdk { - meta: - software_name = "portable SDK for UPnP" - open_source = true - website = "https://pupnp.sourceforge.io" - description = "Portable UPnP library" - version_regex = "\\d\\.\\d\\.\\d+" - strings: - $a = /UPnP\/1.0, Portable SDK for UPnP devices\/\d\.\d\.\d+/ - condition: - $a and no_text_file + meta: + software_name = "portable SDK for UPnP" + open_source = true + website = "https://pupnp.sourceforge.io" + description = "Portable UPnP library" + version_regex = "\\d\\.\\d\\.\\d+" + strings: + $a = /UPnP\/1.0, Portable SDK for UPnP devices\/\d\.\d\.\d+/ + condition: + $a and no_text_file } rule vsftpd { - meta: - software_name = "vsftpd" - open_source = true - website = "https://security.appspot.com/vsftpd.html" - description = "very secure FTP server for UNIX systems" + meta: + software_name = "vsftpd" + open_source = true + website = "https://security.appspot.com/vsftpd.html" + description = "very secure FTP server for UNIX systems" strings: $a = /vsftpd: version \d\.\d+(\.\d+)?/ nocase ascii condition: @@ -528,11 +541,11 @@ rule vsftpd rule wpa_supplicant { - meta: - software_name = "wpa_supplicant" - open_source = true - website = "https://w1.fi/wpa_supplicant/" - description = "wpa_supplicant is a WPA Supplicant for Linux and other OSes with support for WPA and WPA2." + meta: + software_name = "wpa_supplicant" + open_source = true + website = "https://w1.fi/wpa_supplicant/" + description = "wpa_supplicant is a WPA Supplicant for Linux and other OSes with support for WPA and WPA2." strings: $a = /wpa_supplicant v\d+\.\d+(\.\d+)?/ nocase ascii wide condition: @@ -541,11 +554,11 @@ rule wpa_supplicant rule xl2tpd { - meta: - software_name = "xl2tpd" - open_source = false - website = "https://www.xelerance.com/services/software/xl2tpd/" - description = "Layer 2 Tunneling Protocol (L2TP) daemon" + meta: + software_name = "xl2tpd" + open_source = false + website = "https://www.xelerance.com/services/software/xl2tpd/" + description = "Layer 2 Tunneling Protocol (L2TP) daemon" strings: $a = /xl2tpd-\d+\.\d+\.\d+/ nocase ascii wide condition: @@ -554,11 +567,11 @@ rule xl2tpd rule zebra { - meta: - software_name = "GNU Zebra" - open_source = true - website = "https://www.gnu.org/software/zebra/" - description = "multi-server routing software which provides TCP/IP based routing protocols" + meta: + software_name = "GNU Zebra" + open_source = true + website = "https://www.gnu.org/software/zebra/" + description = "multi-server routing software which provides TCP/IP based routing protocols" strings: $a = /Hello, this is zebra \(version 0.\d+.{0,10}\)./ nocase ascii wide condition: diff --git a/src/plugins/analysis/software_components/signatures/os.yara b/src/plugins/analysis/software_components/signatures/os.yara index 7873767d4..cfd5b0d2e 100644 --- a/src/plugins/analysis/software_components/signatures/os.yara +++ b/src/plugins/analysis/software_components/signatures/os.yara @@ -1,10 +1,10 @@ rule VxWorks { - meta: - software_name = "VxWorks" - open_source = false - website = "http://www.windriver.com/products/vxworks/" - description = "Real Time Operating System by WindRiver" + meta: + software_name = "VxWorks" + open_source = false + website = "http://www.windriver.com/products/vxworks/" + description = "Real Time Operating System by WindRiver" strings: $b = /VxWorks[ -]?\d+\.\d+(\.\d+)?/ nocase ascii wide condition: @@ -13,11 +13,11 @@ rule VxWorks rule WindRiverLinux { - meta: - software_name = "Wind River Linux" - open_source = false - website = "http://windriver.com/products/linux/" - description = "Operating system for embedded devices based on Linux" + meta: + software_name = "Wind River Linux" + open_source = false + website = "http://windriver.com/products/linux/" + description = "Operating system for embedded devices based on Linux" strings: $b = /wrlinux-\d+\.\d+/ nocase ascii wide condition: @@ -26,11 +26,11 @@ rule WindRiverLinux rule LynxOS { - meta: - software_name = "LynxOS" - open_source = false - website = "http://www.lynx.com/products/real-time-operating-systems/lynxos-rtos/" - description = "Operating system for embedded devices" + meta: + software_name = "LynxOS" + open_source = false + website = "http://www.lynx.com/products/real-time-operating-systems/lynxos-rtos/" + description = "Operating system for embedded devices" strings: $b = /LynxOS \d+\.\d+/ nocase ascii wide condition: @@ -39,11 +39,11 @@ rule LynxOS rule OpenWrt { - meta: - software_name = "OpenWrt" - open_source = true - website = "https://openwrt.org/" - description = "Linux based operating system for home routers" + meta: + software_name = "OpenWrt" + open_source = true + website = "https://openwrt.org/" + description = "Linux based operating system for home routers" strings: $b = /([a-zA-Z]+ )?OpenWrt Linux-\d+.\d+\.\d+/ nocase ascii wide condition: @@ -52,29 +52,29 @@ rule OpenWrt rule FireOS { - meta: - software_name = "Fire OS" - open_source = true - website = "https://developer.amazon.com/android-fireos" - description = "Linux (Android) based operating system used on Amazon devices" - strings: - $a = /ro.build.version.name=Fire OS \d+\.\d+(\.\d+)?(\.\d+)?/ nocase ascii wide - condition: - $a and no_text_file + meta: + software_name = "Fire OS" + open_source = true + website = "https://developer.amazon.com/android-fireos" + description = "Linux (Android) based operating system used on Amazon devices" + strings: + $a = /ro.build.version.name=Fire OS \d+\.\d+(\.\d+)?(\.\d+)?/ nocase ascii wide + condition: + $a and no_text_file } rule LinuxKernel { - meta: - software_name = "Linux Kernel" - open_source = true - website = "http://www.kernel.org" - description = "The Linux Kernel" + meta: + software_name = "Linux Kernel" + open_source = true + website = "http://www.kernel.org" + description = "The Linux Kernel" strings: - $safe_condition = /Linux version \d\.\d{1,2}\.\d{1,3}(-[\d\w.-]+)?/ nocase ascii wide + $safe_condition = /Linux version \d\.\d{1,2}\.\d{1,3}(-[\d\w.-]+)?/ nocase ascii wide - condition: - $safe_condition and no_text_file + condition: + $safe_condition and no_text_file /* tmporarly removed due to too many false positives */ /* @@ -88,37 +88,37 @@ rule LinuxKernel rule CiscoIOS { - meta: - software_name = "Cisco IOS" - open_source = false - website = "https://www.cisco.com/c/en/us/products/ios-nx-os-software/ios-technologies/index.html" - description = "Cisco Internetwork Operating System" - strings: - $a = "CW_SYSDESCR$Cisco IOS Software" - $b = /Cisco IOS Software,[A-Za-z0-9 .()-]+, Version [^,]+,/ ascii - condition: - ($a or $b) and no_text_file + meta: + software_name = "Cisco IOS" + open_source = false + website = "https://www.cisco.com/c/en/us/products/ios-nx-os-software/ios-technologies/index.html" + description = "Cisco Internetwork Operating System" + strings: + $a = "CW_SYSDESCR$Cisco IOS Software" + $b = /Cisco IOS Software,[A-Za-z0-9 .()-]+, Version [^,]+,/ ascii + condition: + ($a or $b) and no_text_file } rule ThreadX { - meta: - software_name = "ThreadX" - open_source = false - website = "https://rtos.com/solutions/threadx/real-time-operating-system/" - description = "Real Time Operating System" - strings: - $a = /ThreadX [a-z\/ 1-9_]+ [a-z]?\d+\.\d+(\.\d+)?(\.\d+)?/ nocase ascii wide - condition: - $a and no_text_file + meta: + software_name = "ThreadX" + open_source = false + website = "https://rtos.com/solutions/threadx/real-time-operating-system/" + description = "Real Time Operating System" + strings: + $a = /ThreadX [a-z\/ 1-9_]+ [a-z]?\d+\.\d+(\.\d+)?(\.\d+)?/ nocase ascii wide + condition: + $a and no_text_file } rule MicroC_OS { - meta: - software_name = "MicroC/OS" - open_source = false - website = "https://www.micrium.com/rtos/" - description = "Real Time Operating System by Micrium" + meta: + software_name = "MicroC/OS" + open_source = false + website = "https://www.micrium.com/rtos/" + description = "Real Time Operating System by Micrium" strings: $a = /Micrium ?OS/ nocase @@ -130,27 +130,27 @@ rule MicroC_OS { rule Contiki { - meta: - software_name = "Contiki-OS" - open_source = true - website = "http://www.contiki-os.org/" - description = "Real Time Operating System" - strings: - $a = /Contiki\/\d+\.\d+/ nocase ascii wide - condition: - $a and no_text_file + meta: + software_name = "Contiki-OS" + open_source = true + website = "http://www.contiki-os.org/" + description = "Real Time Operating System" + strings: + $a = /Contiki\/\d+\.\d+/ nocase ascii wide + condition: + $a and no_text_file } rule eCos { - meta: - software_name = "eCos" - open_source = false - website = "https://www.ecoscentric.com" - description = "Real Time Operating System" - format_string = true - strings: - $a = "eCos Release: %d.%d.%d" nocase ascii wide - condition: - $a and no_text_file + meta: + software_name = "eCos" + open_source = false + website = "https://www.ecoscentric.com" + description = "Real Time Operating System" + format_string = true + strings: + $a = "eCos Release: %d.%d.%d" nocase ascii wide + condition: + $a and no_text_file } diff --git a/src/plugins/analysis/software_components/signatures/phone_modem.yara b/src/plugins/analysis/software_components/signatures/phone_modem.yara index a94e8f6ae..ee5099166 100644 --- a/src/plugins/analysis/software_components/signatures/phone_modem.yara +++ b/src/plugins/analysis/software_components/signatures/phone_modem.yara @@ -1,12 +1,12 @@ rule siproxd { - meta: - software_name = "Siproxd" - open_source = true - website = "http://siproxd.sourceforge.net/" - description = "Masquerading SIP Proxy Server" - strings: - $a = /siproxd-\d+\.\d+\.\d+/ nocase ascii wide - condition: - $a and no_text_file + meta: + software_name = "Siproxd" + open_source = true + website = "http://siproxd.sourceforge.net/" + description = "Masquerading SIP Proxy Server" + strings: + $a = /siproxd-\d+\.\d+\.\d+/ nocase ascii wide + condition: + $a and no_text_file } \ No newline at end of file diff --git a/src/plugins/analysis/software_components/signatures/software.yara b/src/plugins/analysis/software_components/signatures/software.yara index b149a1522..fa8dd7f76 100644 --- a/src/plugins/analysis/software_components/signatures/software.yara +++ b/src/plugins/analysis/software_components/signatures/software.yara @@ -2,11 +2,11 @@ rule SHORT_NAME_OF_SOFTWARE { - meta: - software_name = "NAME OF SOFTWARE" - open_source = true / false - website = "URL OF SOFTWARE'S WEBSITE OR GIT" - description = "SHORT DESCRIPTION OF SOFTWARE" + meta: + software_name = "NAME OF SOFTWARE" + open_source = true / false + website = "URL OF SOFTWARE'S WEBSITE OR GIT" + description = "SHORT DESCRIPTION OF SOFTWARE" strings: $a = /REGULAR_EXPRESSION/ nocase ascii wide condition: @@ -17,92 +17,92 @@ rule SHORT_NAME_OF_SOFTWARE rule Bash { - meta: - software_name = "Bash" - open_source = true - website = "https://www.gnu.org/software/bash/" - description = "Linux Shell" - strings: - $a = /Bash version \d+\.\d+(.\d+)?/ nocase ascii wide - condition: - $a and no_text_file + meta: + software_name = "Bash" + open_source = true + website = "https://www.gnu.org/software/bash/" + description = "Linux Shell" + strings: + $a = /Bash version \d+\.\d+(.\d+)?/ nocase ascii wide + condition: + $a and no_text_file } rule BusyBox { - meta: - software_name = "BusyBox" - open_source = true - website = "http://www.busybox.net/" - description = "BusyBox combines tiny versions of many common UNIX utilities into a single small executable." - strings: - $a = /BusyBox v\d+\.\d+(.\d+)?/ nocase ascii wide - condition: - $a and no_text_file + meta: + software_name = "BusyBox" + open_source = true + website = "http://www.busybox.net/" + description = "BusyBox combines tiny versions of many common UNIX utilities into a single small executable." + strings: + $a = /BusyBox v\d+\.\d+(.\d+)?/ nocase ascii wide + condition: + $a and no_text_file } rule jQuery { - meta: - software_name = "jQuery" - open_source = true - website = "http://www.jquery.com" - description = "java script library" - strings: - $a = /jQuery v\d+\.\d+/ nocase ascii wide - condition: - $a + meta: + software_name = "jQuery" + open_source = true + website = "http://www.jquery.com" + description = "java script library" + strings: + $a = /jQuery v\d+\.\d+/ nocase ascii wide + condition: + $a } rule Perl { - meta: - software_name = "Perl" - open_source = true - website = "https://www.perl.org/" - description = "Perl scripting language interpreter" - strings: - $a = "This is perl" - $b = /perl\d?\/\d\.\d+\.\d+/ ascii - condition: - $a and $b and no_text_file + meta: + software_name = "Perl" + open_source = true + website = "https://www.perl.org/" + description = "Perl scripting language interpreter" + strings: + $a = "This is perl" + $b = /perl\d?\/\d\.\d+\.\d+/ ascii + condition: + $a and $b and no_text_file } rule PHP { - meta: - software_name = "PHP" - open_source = true - website = "https://www.php.net/" - description = "PHP scripting language interpreter" - strings: - $a = "PHP %s (%s) (built: %s %s)" - $b = /X-Powered-By: PHP\/\d+\.\d+\.\d+/ ascii - condition: - ($a or $b) and no_text_file + meta: + software_name = "PHP" + open_source = true + website = "https://www.php.net/" + description = "PHP scripting language interpreter" + strings: + $a = "PHP %s (%s) (built: %s %s)" + $b = /X-Powered-By: PHP\/\d+\.\d+\.\d+/ ascii + condition: + ($a or $b) and no_text_file } rule Realtek_SDK { - meta: - software_name = "Realtek SDK" - open_source = false - website = "http://www.realtek.com.tw" - description = "Realtek IoT Software Development Kit" - strings: - $a = "MiniIGD %s (%s)." - condition: - $a and no_text_file + meta: + software_name = "Realtek SDK" + open_source = false + website = "http://www.realtek.com.tw" + description = "Realtek IoT Software Development Kit" + strings: + $a = "MiniIGD %s (%s)." + condition: + $a and no_text_file } rule redis { meta: software_name = "redis" - open_source = true - website = "https://redis.io/" - description = "Redis is an open source in-memory data structure store" - format_string = true + open_source = true + website = "https://redis.io/" + description = "Redis is an open source in-memory data structure store" + format_string = true strings: $a = "redis_version:%s" $b = "Redis version=%s" diff --git a/src/plugins/analysis/software_components/signatures/uefi.yara b/src/plugins/analysis/software_components/signatures/uefi.yara index d113cdcea..277178cc5 100644 --- a/src/plugins/analysis/software_components/signatures/uefi.yara +++ b/src/plugins/analysis/software_components/signatures/uefi.yara @@ -1,10 +1,10 @@ rule EFIshell { - meta: - software_name = "EFI Shell" - open_source = true - website = "https://www.tianocore.org/" - description = "UEFI Shell" + meta: + software_name = "EFI Shell" + open_source = true + website = "https://www.tianocore.org/" + description = "UEFI Shell" strings: $a = /EFI Shell Version \d+\.\d+/ nocase ascii wide condition: @@ -13,11 +13,11 @@ rule EFIshell rule BootAgent { - meta: - software_name = "Intel Boot Agent" - open_source = true - website = "http://www.intel.com" - description = "Intel Boot Agent" + meta: + software_name = "Intel Boot Agent" + open_source = true + website = "http://www.intel.com" + description = "Intel Boot Agent" strings: $a = /Boot Agent CL v\d+\.\d+(\.\d+)?/ nocase ascii wide condition: diff --git a/src/plugins/analysis/software_components/signatures/vendor_specific_hp.yara b/src/plugins/analysis/software_components/signatures/vendor_specific_hp.yara index 4c397a6c8..fe8cf448b 100644 --- a/src/plugins/analysis/software_components/signatures/vendor_specific_hp.yara +++ b/src/plugins/analysis/software_components/signatures/vendor_specific_hp.yara @@ -1,10 +1,10 @@ rule ChaiVM { - meta: - software_name = "HP ChaiVM" - open_source = false - website = "https://www.hp.com" - description ="Embedded virutal machine for java applications." + meta: + software_name = "HP ChaiVM" + open_source = false + website = "https://www.hp.com" + description ="Embedded virutal machine for java applications." strings: $a = /ChaiVM \d+\.\d+(\.\d+)?/ nocase ascii wide condition: @@ -13,11 +13,11 @@ rule ChaiVM rule HP_FTP_print_server { - meta: - software_name = "HP FTP Print Server" - open_source = false - website = "https://www.hp.com" - description ="HP Print Server" + meta: + software_name = "HP FTP Print Server" + open_source = false + website = "https://www.hp.com" + description ="HP Print Server" strings: $a = /Hewlett-Packard FTP Print Server Version \d+\.\d+/ nocase ascii wide condition: diff --git a/src/plugins/analysis/software_components/signatures/vendor_specific_netgear.yara b/src/plugins/analysis/software_components/signatures/vendor_specific_netgear.yara index b77fa9404..1e6da1342 100644 --- a/src/plugins/analysis/software_components/signatures/vendor_specific_netgear.yara +++ b/src/plugins/analysis/software_components/signatures/vendor_specific_netgear.yara @@ -1,12 +1,12 @@ rule smart_wizzard { - meta: - software_name = "Netgear Smart Wizzard" - open_source = false - website = "https://www.netgear.com/" - description = "Setup assistent" - strings: - $a = /Netgear Smart Wizard \d+\.\d+/ nocase ascii wide - condition: - $a and no_text_file + meta: + software_name = "Netgear Smart Wizzard" + open_source = false + website = "https://www.netgear.com/" + description = "Setup assistent" + strings: + $a = /Netgear Smart Wizard \d+\.\d+/ nocase ascii wide + condition: + $a and no_text_file } diff --git a/src/plugins/analysis/software_components/signatures/yara_test_rules.yara b/src/plugins/analysis/software_components/signatures/yara_test_rules.yara index 29bb5aac4..4e55a16ca 100644 --- a/src/plugins/analysis/software_components/signatures/yara_test_rules.yara +++ b/src/plugins/analysis/software_components/signatures/yara_test_rules.yara @@ -1,10 +1,10 @@ rule MyTestRule { - meta: - software_name = "Test Software" - open_source = true - website = "http://www.fkie.fraunhofer.de" - description = "This is a test rule" + meta: + software_name = "Test Software" + open_source = true + website = "http://www.fkie.fraunhofer.de" + description = "This is a test rule" strings: $a = /MyTestRule [\d]+.[\d]+[.\d]*/ condition: