Mark
asked on
How to test yara rule?
I have the yara rule shown below from Kaspersky. I've put it in my Linux system running clamav-milter. I'd like to test this rule by sending a message. I've sent a message contaning string $a3, but it was not caught.
To test yara generally, I have created a simple rule with a single string and sent a message containing that string and it was caught, so yara rule checking is enabled.
Perhaps just sending string $a3 is insufficient? What does "uint16(0)" mean? That appears to be an "and" condition.
To test yara generally, I have created a simple rule with a single string and sent a message containing that string and it was caught, so yara rule checking is enabled.
Perhaps just sending string $a3 is insufficient? What does "uint16(0)" mean? That appears to be an "and" condition.
rule ransomware_exPetr {
meta:
copyright = "Kaspersky Lab"
description = "Rule to detect PetrWrap ransomware samples"
last_modified = "2017-06-27"
author = "Kaspersky Lab"
hash = "71B6A493388E7D0B40C83CE903BC6B04"
version = "1.0"
strings:
$a1 = "MIIBCgKCAQEAxP/VqKc0yLe9JhVqFMQGwUITO6WpXWnKSNQAYT0O65Cr8PjIQInTeHkXEjfO2n2JmURWV/uHB0ZrlQ/wcYJBwLhQ9EqJ3iDqmN19Oo7NtyEUmbYmopcq+YLIBZzQ2ZTK0A2DtX4GRKxEEFLCy7vP12EYOPXknVy/+mf0JFWixz29QiTf5oLu15wVLONCuEibGaNNpgq+CXsPwfITDbDDmdrRIiUEUw6o3pt5pNOskfOJbMan2TZu" fullword wide
$a2 = ".3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls" fullword wide
$a3 = "DESTROY ALL OF YOUR DATA! PLEASE ENSURE THAT YOUR POWER CABLE IS PLUGGED" fullword ascii
$a4 = "1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX" fullword ascii
$a5 = "wowsmith123456@posteo.net." fullword wide
condition:
uint16(0) == 0x5A4D and
filesize < 1000000 and
any of them
}
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I commented out the uint16 rule and sent a test message with an attachment having the "POWER CABLE" string and the milter caught it! Mystery solved.