首页 开源 资讯 活动 开源许可证
软件工程云服务
软件代码质量检测云服务 持续集成与部署云服务 社区个性化内容推荐服务 贡献审阅人推荐服务 群体化学习服务 重睛鸟代码扫描工具
Watch 1 Star 0 Fork 0

elainelover/c_icap_yara

代码 Issues 0 Pull Requests 0 Wiki 0 统计
加入 Gitee
与超过 1200万 开发者一起发现、参与优秀开源项目,私有仓库也完全免费 :)
免费加入
文件
该仓库未声明开源许可证文件(LICENSE),使用请关注具体项目描述及其代码上游依赖。
项目仓库所选许可证以仓库主分支所使用许可证为准
克隆/下载
yara_rules.sample 2.26 KB
一键复制 编辑 原始数据 按行查看 历史
fygrave 提交于 2011-12-22 14:16 . Initial Import
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128
rule Utilprintf: decodedPDF

{

	meta:

		ref = "CVE-2008-2992"

		hide = true

	strings:

		$cve20082992 = "util.printf" nocase fullword

	condition:

		1 of them

}

rule SpellcustomDictionaryOpen: decodedPDF

{

	meta:

		ref = "CVE-2009-1493"

		hide = true

	strings:	

		$cve20091493 = "spell.customDictionaryOpen" nocase fullword

	condition:

		1 of them

}



rule MSIEUseAfterFree: decodedOnly

{

	meta:

		ref = "CVE-2010-0249"

		hide = true

        impact = 5

	strings:

		$cve20100249_1 = "createEventObject" nocase fullword

		$cve20100249_2 = "getElementById" nocase fullword

		$cve20100249_3 = "onload" nocase fullword

		$cve20100249_4 = "srcElement" nocase fullword

	condition:

		all of them

}



rule getAnnots: decodedPDF

{

	meta:

		impact = 3  //Since getAnnots may be legitimate

        ref = "CVE-2009-1492"

		hide = true

	strings:

		$cve20091492 = "getAnnots" nocase fullword

	condition:

		1 of them

}

rule mediaNewplayer: decodedPDF

{

	meta:

		ref = "CVE-2009-4324"

		hide = true

	strings:

		$cve20094324 = "media.newPlayer" nocase fullword

	condition:

		1 of them

}



rule collectEmailInfo: decodedPDF

{

	meta:

		ref = "CVE-2007-5659"

		hide = true

	strings:

		$cve20075659 = "collab.collectEmailInfo" nocase fullword

	condition:

		1 of them

}



rule CollabgetIcon: decodedPDF

{

	meta:

		ref = "CVE-2009-0927"

		hide = true

	strings:		

		$cve20090927 = "collab.getIcon" nocase fullword

	condition: 

		1 of them

}



rule PDFobfuscation: decodedPDF

{

	meta:

		impact = 5

	strings:	

		$cveNOMATCH  = "collab[" nocase 		//hidden collab string

	condition: 

		1 of them

}



rule UnconfirmedPDFexploit: decodedPDF

{ 	

	meta:

		impact = 0

		//unconfirmed exploitation

	strings:

		$cve20084813 = "getCosObj" nocase fullword

		$cve20082042 = "app.checkForUpdate" nocase fullword

		$cve20080726 = "printSepsWithParams" nocase fullword

		$cve20073902 = "setExpression" nocase fullword

		$cve20090773 = "ResizeSlots" nocase fullword

	condition:

		1 of them

}





rule DecodedGenericCLSID : decodedOnly

{

	meta:

		impact = 0

	strings:

		$gen = /[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}/ nocase

	condition:

		1 of them

}



rule MSOfficeSnapshotViewer

{

	meta:

		ref = "CVE-2008-2463"

		impact = 7

	strings:

		$cve20082463 = /(F0E42D50|F0E42D60|F2175210)-368C-11D0-AD81-00A0C90DC8D9/ nocase

	condition:

		1 of them

}
Loading...
马建仓 AI 助手
尝试更多
代码解读
代码找茬
代码优化