{"id":3865,"date":"2018-12-21T14:08:56","date_gmt":"2018-12-21T13:08:56","guid":{"rendered":"http:\/\/nextron.bsk-consulting.de\/?p=3865"},"modified":"2022-03-25T14:15:02","modified_gmt":"2022-03-25T13:15:02","slug":"yara-rule-sets-and-rule-feed","status":"publish","type":"post","link":"https:\/\/www.nextron-systems.com\/2018\/12\/21\/yara-rule-sets-and-rule-feed\/","title":{"rendered":"YARA Rule Sets and Rule Feed"},"content":{"rendered":"<p>[et_pb_section fb_built=&#8221;1&#8243; _builder_version=&#8221;3.22&#8243;][et_pb_row _builder_version=&#8221;3.25&#8243;][et_pb_column type=&#8221;4_4&#8243; _builder_version=&#8221;3.25&#8243; custom_padding=&#8221;|||&#8221; custom_padding__hover=&#8221;|||&#8221;][et_pb_image src=&#8221;https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2018\/12\/Screenshot-2018-12-20-at-11.48.53.png&#8221; align_tablet=&#8221;center&#8221; align_last_edited=&#8221;on|desktop&#8221; _builder_version=&#8221;4.4.2&#8243; hover_enabled=&#8221;0&#8243;][\/et_pb_image][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=&#8221;3.25&#8243; background_size=&#8221;initial&#8221; background_position=&#8221;top_left&#8221; background_repeat=&#8221;repeat&#8221;][et_pb_column type=&#8221;4_4&#8243; _builder_version=&#8221;3.25&#8243; custom_padding=&#8221;|||&#8221; custom_padding__hover=&#8221;|||&#8221;][et_pb_text _builder_version=&#8221;3.27.4&#8243;]<\/p>\n<p>As previously announced our YARA rule packs and feeds will be available in March\/April 2019. We&#8217;ve put a lot of effort into a internal system named &#8220;Mjolnir&#8221; that parses, normalizes, filters, tags and automatically modifies our rule base, which contains more than 9000 YARA rules.\u00a0<\/p>\n<p>This system will now fill a database of tagged YARA rules &#8211; the basis of our new YARA services.\u00a0<\/p>\n<p>The services will be divided into two categories:<\/p>\n<ul>\n<li>YARA Rule Set<\/li>\n<li>YARA Rule Feed<\/li>\n<\/ul>\n<h2>YARA Rule Set<\/h2>\n<p>The YARA rule set consist of more than 7000 YARA rules of different categories that are used in our scanners.<\/p>\n<p>Some of our rules use extensions (external variables) that are only usable in our scanner products. These rules, experimental, third party and other classified rules will not be part of the purchasable rule set.\u00a0<\/p>\n<h2>YARA Rule Feed\u00a0<\/h2>\n<p>The YARA rule feed is a subscription on our rules.\u00a0The feed always contains the rules of the last 90 days, which is between 250-400 YARA rules.\u00a0<\/p>\n<h2>Rule Samples<\/h2>\n<p>The quality of the rules in the rule set are comparable to the rules in our public &#8220;<a href=\"https:\/\/github.com\/Neo23x0\/signature-base\/tree\/master\/yara\">signature-base<\/a>&#8221; repository.\u00a0<\/p>\n<p>Some good examples for the different rule categories are:<\/p>\n<ul>\n<li>Webshell &#8211; <a href=\"https:\/\/github.com\/Neo23x0\/signature-base\/blob\/master\/yara\/thor-webshells.yar#L9261\">FOPO Obfuscated Webshells<\/a><\/li>\n<li>Exploit &#8211; <a href=\"https:\/\/github.com\/Neo23x0\/signature-base\/blob\/master\/yara\/exploit_cve_2017_8759.yar\">Exploit Codes for\u00a0CVE-2017-8759<\/a><\/li>\n<li>Hacktool &#8211; <a href=\"https:\/\/github.com\/Neo23x0\/signature-base\/blob\/master\/yara\/thor-hacktools.yar#L4446\">BlackBone Driver Injector<\/a><\/li>\n<li>Suspicious &#8211; <a href=\"https:\/\/github.com\/Neo23x0\/signature-base\/blob\/master\/yara\/generic_anomalies.yar#L320\">Suspicious Big Scheduled Task Files<\/a>\u00a0<\/li>\n<li>APT &#8211; <a href=\"https:\/\/github.com\/Neo23x0\/signature-base\/blob\/master\/yara\/apt_turla.yar\">Turla Rules<\/a><\/li>\n<\/ul>\n<h2>Quality and Focus<\/h2>\n<p>The rules are tested against a data set of more than 350 TB of goodware. The goodware file repository consists of Windows OS files, several full Linux distributions and a big collection of commercial and free software.\u00a0<\/p>\n<p>However, false positives are always possible. We do not recommend any destructive action on a signature match, like delete or blocking.<\/p>\n<p>The main focus of our rules are:<\/p>\n<ul>\n<li>Threat Hunting<\/li>\n<li>Classification<\/li>\n<li>Anomaly Detection<\/li>\n<li>Compromise Assessment\u00a0<\/li>\n<\/ul>\n<p>[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=&#8221;3.25&#8243; background_size=&#8221;initial&#8221; background_position=&#8221;top_left&#8221; background_repeat=&#8221;repeat&#8221;][et_pb_column type=&#8221;4_4&#8243; _builder_version=&#8221;3.25&#8243; custom_padding=&#8221;|||&#8221; custom_padding__hover=&#8221;|||&#8221;][et_pb_image src=&#8221;https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2018\/12\/Screenshot-2018-12-06-at-19.24.29.png&#8221; align_tablet=&#8221;center&#8221; align_last_edited=&#8221;on|desktop&#8221; _builder_version=&#8221;4.4.2&#8243; hover_enabled=&#8221;0&#8243;][\/et_pb_image][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=&#8221;3.25&#8243;][et_pb_column type=&#8221;4_4&#8243; _builder_version=&#8221;3.25&#8243; custom_padding=&#8221;|||&#8221; custom_padding__hover=&#8221;|||&#8221;][et_pb_text _builder_version=&#8221;3.27.4&#8243;][\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=&#8221;3.25&#8243; background_size=&#8221;initial&#8221; background_position=&#8221;top_left&#8221; background_repeat=&#8221;repeat&#8221;][et_pb_column type=&#8221;4_4&#8243; _builder_version=&#8221;3.25&#8243; custom_padding=&#8221;|||&#8221; custom_padding__hover=&#8221;|||&#8221;][et_pb_image src=&#8221;https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2018\/12\/Screenshot-2018-12-20-at-11.48.34.png&#8221; align_tablet=&#8221;center&#8221; align_last_edited=&#8221;on|desktop&#8221; _builder_version=&#8221;4.4.2&#8243; hover_enabled=&#8221;0&#8243;][\/et_pb_image][\/et_pb_column][\/et_pb_row][\/et_pb_section][et_pb_section fb_built=&#8221;1&#8243; _builder_version=&#8221;3.22&#8243; background_color=&#8221;#009ec7&#8243;][et_pb_row _builder_version=&#8221;3.25&#8243;][et_pb_column type=&#8221;4_4&#8243; _builder_version=&#8221;3.25&#8243; custom_padding=&#8221;|||&#8221; custom_padding__hover=&#8221;|||&#8221;][et_pb_cta title=&#8221;Subscribe to our Early Access Mailing List&#8221; button_url=&#8221;\/yara-rule-feed&#8221; button_text=&#8221;Subscribe here&#8221; _builder_version=&#8221;4.4.2&#8243; header_text_align=&#8221;center&#8221; body_text_align=&#8221;center&#8221; use_background_color=&#8221;off&#8221; hover_enabled=&#8221;0&#8243; custom_css_promo_title=&#8221;padding-top: 0;&#8221;][\/et_pb_cta][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"<p>As previously announced our YARA rule packs and feeds will be available in March\/April 2019. We&#8217;ve put a lot of effort into a internal system named &#8220;Mjolnir&#8221; that parses, normalizes, filters, tags and automatically modifies our rule base, which contains more than 9000 YARA rules.\u00a0 This system will now fill a database of tagged YARA rules &#8211; the basis of our new YARA services.\u00a0 The services will be divided into two categories: YARA Rule Set YARA Rule Feed YARA Rule Set The YARA rule set consist of more than 7000 YARA rules of different categories that are used in our scanners. Some of our rules use extensions (external variables) that are only usable in our scanner products. These rules, experimental, third party and other classified rules will not be part of the purchasable rule set.\u00a0 YARA Rule Feed\u00a0 The YARA rule feed is a subscription on our rules.\u00a0The feed always contains the rules of the last 90 days, which is between 250-400 YARA rules.\u00a0 Rule Samples The quality of the rules in the rule set are comparable to the rules in our public &#8220;signature-base&#8221; repository.\u00a0 Some good examples for the different rule categories are: Webshell &#8211; FOPO Obfuscated Webshells Exploit [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"<p>\u00a0<\/p><p>\u00a0<\/p>","_et_gb_content_width":"","footnotes":""},"categories":[46,47],"tags":[160,159,158,63,124,62,101,48],"class_list":["post-3865","post","type-post","status-publish","format-standard","hentry","category-newsletter","category-yara","tag-access","tag-api","tag-feed","tag-hunting","tag-malware","tag-rules","tag-signatures","tag-yara"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v24.9 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>YARA Rule Sets and Rule Feed - Nextron Systems<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.nextron-systems.com\/2018\/12\/21\/yara-rule-sets-and-rule-feed\/\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.nextron-systems.com\/2018\/12\/21\/yara-rule-sets-and-rule-feed\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.nextron-systems.com\/2018\/12\/21\/yara-rule-sets-and-rule-feed\/\"},\"author\":{\"name\":\"Florian Roth\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919\"},\"headline\":\"YARA Rule Sets and Rule Feed\",\"datePublished\":\"2018-12-21T13:08:56+00:00\",\"dateModified\":\"2022-03-25T13:15:02+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.nextron-systems.com\/2018\/12\/21\/yara-rule-sets-and-rule-feed\/\"},\"wordCount\":634,\"publisher\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#organization\"},\"keywords\":[\"access\",\"api\",\"feed\",\"Hunting\",\"malware\",\"Rules\",\"signatures\",\"YARA\"],\"articleSection\":[\"Newsletter\",\"YARA\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.nextron-systems.com\/2018\/12\/21\/yara-rule-sets-and-rule-feed\/\",\"url\":\"https:\/\/www.nextron-systems.com\/2018\/12\/21\/yara-rule-sets-and-rule-feed\/\",\"name\":\"YARA Rule Sets and Rule Feed - Nextron Systems\",\"isPartOf\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#website\"},\"datePublished\":\"2018-12-21T13:08:56+00:00\",\"dateModified\":\"2022-03-25T13:15:02+00:00\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.nextron-systems.com\/2018\/12\/21\/yara-rule-sets-and-rule-feed\/\"]}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.nextron-systems.com\/#website\",\"url\":\"https:\/\/www.nextron-systems.com\/\",\"name\":\"Nextron Systems\",\"description\":\"We Detect Hackers\",\"publisher\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.nextron-systems.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.nextron-systems.com\/#organization\",\"name\":\"Nextron Systems GmbH\",\"url\":\"https:\/\/www.nextron-systems.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png\",\"contentUrl\":\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png\",\"width\":260,\"height\":260,\"caption\":\"Nextron Systems GmbH\"},\"image\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919\",\"name\":\"Florian Roth\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g\",\"caption\":\"Florian Roth\"},\"description\":\"Florian Roth serves as the Head of Research and Development at Nextron Systems. With a background in IT security since 2000, he has delved deep into nation-state cyber attacks since 2012. Florian has developed the THOR Scanner and actively engages with the community via his Twitter handle @cyb3rops. He has contributed to open-source projects, including 'Sigma', a generic SIEM rule format, and 'LOKI', an open-source scanner. Additionally, he has shared valuable resources like a mapping of APT groups and operations and an Antivirus Event Analysis Cheat Sheet.\",\"url\":\"https:\/\/www.nextron-systems.com\/author\/florian\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"YARA Rule Sets and Rule Feed - Nextron Systems","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.nextron-systems.com\/2018\/12\/21\/yara-rule-sets-and-rule-feed\/","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.nextron-systems.com\/2018\/12\/21\/yara-rule-sets-and-rule-feed\/#article","isPartOf":{"@id":"https:\/\/www.nextron-systems.com\/2018\/12\/21\/yara-rule-sets-and-rule-feed\/"},"author":{"name":"Florian Roth","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919"},"headline":"YARA Rule Sets and Rule Feed","datePublished":"2018-12-21T13:08:56+00:00","dateModified":"2022-03-25T13:15:02+00:00","mainEntityOfPage":{"@id":"https:\/\/www.nextron-systems.com\/2018\/12\/21\/yara-rule-sets-and-rule-feed\/"},"wordCount":634,"publisher":{"@id":"https:\/\/www.nextron-systems.com\/#organization"},"keywords":["access","api","feed","Hunting","malware","Rules","signatures","YARA"],"articleSection":["Newsletter","YARA"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.nextron-systems.com\/2018\/12\/21\/yara-rule-sets-and-rule-feed\/","url":"https:\/\/www.nextron-systems.com\/2018\/12\/21\/yara-rule-sets-and-rule-feed\/","name":"YARA Rule Sets and Rule Feed - Nextron Systems","isPartOf":{"@id":"https:\/\/www.nextron-systems.com\/#website"},"datePublished":"2018-12-21T13:08:56+00:00","dateModified":"2022-03-25T13:15:02+00:00","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.nextron-systems.com\/2018\/12\/21\/yara-rule-sets-and-rule-feed\/"]}]},{"@type":"WebSite","@id":"https:\/\/www.nextron-systems.com\/#website","url":"https:\/\/www.nextron-systems.com\/","name":"Nextron Systems","description":"We Detect Hackers","publisher":{"@id":"https:\/\/www.nextron-systems.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.nextron-systems.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.nextron-systems.com\/#organization","name":"Nextron Systems GmbH","url":"https:\/\/www.nextron-systems.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/","url":"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png","contentUrl":"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png","width":260,"height":260,"caption":"Nextron Systems GmbH"},"image":{"@id":"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919","name":"Florian Roth","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g","caption":"Florian Roth"},"description":"Florian Roth serves as the Head of Research and Development at Nextron Systems. With a background in IT security since 2000, he has delved deep into nation-state cyber attacks since 2012. Florian has developed the THOR Scanner and actively engages with the community via his Twitter handle @cyb3rops. He has contributed to open-source projects, including 'Sigma', a generic SIEM rule format, and 'LOKI', an open-source scanner. Additionally, he has shared valuable resources like a mapping of APT groups and operations and an Antivirus Event Analysis Cheat Sheet.","url":"https:\/\/www.nextron-systems.com\/author\/florian\/"}]}},"_links":{"self":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts\/3865","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/comments?post=3865"}],"version-history":[{"count":14,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts\/3865\/revisions"}],"predecessor-version":[{"id":7257,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts\/3865\/revisions\/7257"}],"wp:attachment":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/media?parent=3865"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/categories?post=3865"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/tags?post=3865"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}