{"id":3136,"date":"2018-03-19T12:00:46","date_gmt":"2018-03-19T11:00:46","guid":{"rendered":"http:\/\/nextron.bsk-consulting.de\/?p=3136"},"modified":"2023-02-02T16:32:15","modified_gmt":"2023-02-02T15:32:15","slug":"thor-8-44-features-tls-syslog-transmission-zip-yara-scanning","status":"publish","type":"post","link":"https:\/\/www.nextron-systems.com\/2018\/03\/19\/thor-8-44-features-tls-syslog-transmission-zip-yara-scanning\/","title":{"rendered":"THOR 8.44 features TLS Syslog Transmission & ZIP YARA Scanning"},"content":{"rendered":"

[et_pb_section fb_built=”1″ admin_label=”section” _builder_version=”4.16″ global_colors_info=”{}” da_is_popup=”off” da_exit_intent=”off” da_has_close=”on” da_alt_close=”off” da_dark_close=”off” da_not_modal=”on” da_is_singular=”off” da_with_loader=”off” da_has_shadow=”on” da_disable_devices=”off|off|off”][et_pb_row admin_label=”row” _builder_version=”4.16″ background_size=”initial” background_position=”top_left” background_repeat=”repeat” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.16″ custom_padding=”|||” global_colors_info=”{}” custom_padding__hover=”|||”][et_pb_text admin_label=”Text” _builder_version=”4.18.0″ background_size=”initial” background_position=”top_left” background_repeat=”repeat” hover_enabled=”0″ global_colors_info=”{}” sticky_enabled=”0″]The new THOR version 8.44 comes with some interesting new features.<\/p>\n

TLS\/SSL Syslog Transmission<\/h2>\n

THOR version 8.44.0 supports the Syslog log transmission in an SSL\/TLS encrypted form. Just set the value “TCPTLS” as protocol in the 4th position of the target definition.<\/p>\n

\nthor.exe -s mysyslogserver:6514:SYSLOG:TCPTLS\n<\/pre>\n
The documentation has been updated accordingly.<\/p>\n
\"\"
TLS Syslog Log Transmission<\/p><\/div>\n
ZIP YARA Scanning<\/h2>\n
Until today the ZIP file checks were limited to file name IOC or anomaly checks. The new version 8.44.2 supports the scanning of ZIP file contents with the YARA rule base. However, for the time being the ZIP YARA scanning has some limitations:<\/p>\n
    \n
  1. The feature is limited to files which decompressed size does not exceed the defined maximum file size (default 4.5 Megabytes)<\/li>\n
  2. The feature is limited to certain scan modes: –intense, –fsonly, –dropzone<\/li>\n<\/ol>\n
    If the feature proves to be stable, we will activate it in the default scan mode in a future minor release.<\/p>\n
    \"\"
    ZIP YARA Scanning<\/p><\/div>[\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"
    The new THOR version 8.44 comes with some interesting new features. TLS\/SSL Syslog Transmission THOR version 8.44.0 supports the Syslog log transmission in an SSL\/TLS encrypted form. Just set the value “TCPTLS” as protocol in the 4th position of the target definition. thor.exe -s mysyslogserver:6514:SYSLOG:TCPTLS The documentation has been updated accordingly. ZIP YARA Scanning Until today the ZIP file checks were limited to file name IOC or anomaly checks. The new version 8.44.2 supports the scanning of ZIP file contents with the YARA rule base. However, for the time being the ZIP YARA scanning has some limitations: The feature is limited to files which decompressed size does not exceed the defined maximum file size (default 4.5 Megabytes) The feature is limited to certain scan modes: –intense, –fsonly, –dropzone If the feature proves to be stable, we will activate it in the default scan mode in a future minor release.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"The new THOR version 8.44 comes with some interesting new features.\r\n
    TLS\/SSL Syslog Transmission<\/h2>\r\nTHOR version 8.44.0 supports the Syslog log transmission in an SSL\/TLS encrypted form. Just set the value \"TCPTLS\" as protocol in the 4th position of the target definition.\r\n\r\n[cc lang=\"bash\"]\r\nthor.exe -s mysyslogserver:6514:SYSLOG:TCPTLS\r\n[\/cc]\r\n\r\nThe documentation has been updated accordingly.\r\n\r\n[caption id=\"attachment_3138\" align=\"alignnone\" width=\"785\"]\"\" TLS Syslog Log Transmission[\/caption]\r\n
    ZIP YARA Scanning<\/h2>\r\nUntil today the ZIP file checks were limited to file name IOC or anomaly checks. The new version 8.44.2 supports the scanning of ZIP file contents with the YARA rule base. However, for the time being the ZIP YARA scanning has some limitations:\r\n
      \r\n \t
    1. The feature is limited to files which decompressed size does not exceed the defined maximum file size (default 4.5 Megabytes)<\/li>\r\n \t
    2. The feature is limited to certain scan modes: --intense, --fsonly, --dropzone<\/li>\r\n<\/ol>\r\nIf the feature proves to be stable, we will activate it in the default scan mode in a future minor release.\r\n\r\n[caption id=\"attachment_3137\" align=\"alignnone\" width=\"688\"]\"\" ZIP YARA Scanning[\/caption]","_et_gb_content_width":"","footnotes":""},"categories":[46,32],"tags":[74,75,5,73,48,72],"class_list":["post-3136","post","type-post","status-publish","format-standard","hentry","category-newsletter","category-thor","tag-encryption","tag-syslog","tag-thor","tag-tls","tag-yara","tag-zip"],"yoast_head":"\nTHOR 8.44 features TLS Syslog Transmission & ZIP YARA Scanning - Nextron Systems<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.nextron-systems.com\/2018\/03\/19\/thor-8-44-features-tls-syslog-transmission-zip-yara-scanning\/\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.nextron-systems.com\/2018\/03\/19\/thor-8-44-features-tls-syslog-transmission-zip-yara-scanning\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.nextron-systems.com\/2018\/03\/19\/thor-8-44-features-tls-syslog-transmission-zip-yara-scanning\/\"},\"author\":{\"name\":\"Florian Roth\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919\"},\"headline\":\"THOR 8.44 features TLS Syslog Transmission & ZIP YARA Scanning\",\"datePublished\":\"2018-03-19T11:00:46+00:00\",\"dateModified\":\"2023-02-02T15:32:15+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.nextron-systems.com\/2018\/03\/19\/thor-8-44-features-tls-syslog-transmission-zip-yara-scanning\/\"},\"wordCount\":300,\"publisher\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#organization\"},\"keywords\":[\"encryption\",\"syslog\",\"thor\",\"tls\",\"YARA\",\"zip\"],\"articleSection\":[\"Newsletter\",\"THOR\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.nextron-systems.com\/2018\/03\/19\/thor-8-44-features-tls-syslog-transmission-zip-yara-scanning\/\",\"url\":\"https:\/\/www.nextron-systems.com\/2018\/03\/19\/thor-8-44-features-tls-syslog-transmission-zip-yara-scanning\/\",\"name\":\"THOR 8.44 features TLS Syslog Transmission & ZIP YARA Scanning - Nextron Systems\",\"isPartOf\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#website\"},\"datePublished\":\"2018-03-19T11:00:46+00:00\",\"dateModified\":\"2023-02-02T15:32:15+00:00\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.nextron-systems.com\/2018\/03\/19\/thor-8-44-features-tls-syslog-transmission-zip-yara-scanning\/\"]}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.nextron-systems.com\/#website\",\"url\":\"https:\/\/www.nextron-systems.com\/\",\"name\":\"Nextron Systems\",\"description\":\"We Detect Hackers\",\"publisher\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.nextron-systems.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.nextron-systems.com\/#organization\",\"name\":\"Nextron Systems GmbH\",\"url\":\"https:\/\/www.nextron-systems.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png\",\"contentUrl\":\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png\",\"width\":260,\"height\":260,\"caption\":\"Nextron Systems GmbH\"},\"image\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919\",\"name\":\"Florian Roth\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g\",\"caption\":\"Florian Roth\"},\"description\":\"Florian Roth serves as the Head of Research and Development at Nextron Systems. With a background in IT security since 2000, he has delved deep into nation-state cyber attacks since 2012. Florian has developed the THOR Scanner and actively engages with the community via his Twitter handle @cyb3rops. He has contributed to open-source projects, including 'Sigma', a generic SIEM rule format, and 'LOKI', an open-source scanner. Additionally, he has shared valuable resources like a mapping of APT groups and operations and an Antivirus Event Analysis Cheat Sheet.\",\"url\":\"https:\/\/www.nextron-systems.com\/author\/florian\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"THOR 8.44 features TLS Syslog Transmission & ZIP YARA Scanning - Nextron Systems","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.nextron-systems.com\/2018\/03\/19\/thor-8-44-features-tls-syslog-transmission-zip-yara-scanning\/","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.nextron-systems.com\/2018\/03\/19\/thor-8-44-features-tls-syslog-transmission-zip-yara-scanning\/#article","isPartOf":{"@id":"https:\/\/www.nextron-systems.com\/2018\/03\/19\/thor-8-44-features-tls-syslog-transmission-zip-yara-scanning\/"},"author":{"name":"Florian Roth","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919"},"headline":"THOR 8.44 features TLS Syslog Transmission & ZIP YARA Scanning","datePublished":"2018-03-19T11:00:46+00:00","dateModified":"2023-02-02T15:32:15+00:00","mainEntityOfPage":{"@id":"https:\/\/www.nextron-systems.com\/2018\/03\/19\/thor-8-44-features-tls-syslog-transmission-zip-yara-scanning\/"},"wordCount":300,"publisher":{"@id":"https:\/\/www.nextron-systems.com\/#organization"},"keywords":["encryption","syslog","thor","tls","YARA","zip"],"articleSection":["Newsletter","THOR"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.nextron-systems.com\/2018\/03\/19\/thor-8-44-features-tls-syslog-transmission-zip-yara-scanning\/","url":"https:\/\/www.nextron-systems.com\/2018\/03\/19\/thor-8-44-features-tls-syslog-transmission-zip-yara-scanning\/","name":"THOR 8.44 features TLS Syslog Transmission & ZIP YARA Scanning - Nextron Systems","isPartOf":{"@id":"https:\/\/www.nextron-systems.com\/#website"},"datePublished":"2018-03-19T11:00:46+00:00","dateModified":"2023-02-02T15:32:15+00:00","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.nextron-systems.com\/2018\/03\/19\/thor-8-44-features-tls-syslog-transmission-zip-yara-scanning\/"]}]},{"@type":"WebSite","@id":"https:\/\/www.nextron-systems.com\/#website","url":"https:\/\/www.nextron-systems.com\/","name":"Nextron Systems","description":"We Detect Hackers","publisher":{"@id":"https:\/\/www.nextron-systems.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.nextron-systems.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.nextron-systems.com\/#organization","name":"Nextron Systems GmbH","url":"https:\/\/www.nextron-systems.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/","url":"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png","contentUrl":"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png","width":260,"height":260,"caption":"Nextron Systems GmbH"},"image":{"@id":"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919","name":"Florian Roth","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g","caption":"Florian Roth"},"description":"Florian Roth serves as the Head of Research and Development at Nextron Systems. With a background in IT security since 2000, he has delved deep into nation-state cyber attacks since 2012. Florian has developed the THOR Scanner and actively engages with the community via his Twitter handle @cyb3rops. He has contributed to open-source projects, including 'Sigma', a generic SIEM rule format, and 'LOKI', an open-source scanner. Additionally, he has shared valuable resources like a mapping of APT groups and operations and an Antivirus Event Analysis Cheat Sheet.","url":"https:\/\/www.nextron-systems.com\/author\/florian\/"}]}},"_links":{"self":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts\/3136","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/comments?post=3136"}],"version-history":[{"count":9,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts\/3136\/revisions"}],"predecessor-version":[{"id":15928,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts\/3136\/revisions\/15928"}],"wp:attachment":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/media?parent=3136"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/categories?post=3136"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/tags?post=3136"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}