xambroz
commented
8 years ago I forgot to mention the rule is in the ./Neo23x0/signature-base/yara/gen_cn_hacktools.yar
Closed xambroz closed 8 years ago
xambroz
commented
8 years ago I forgot to mention the rule is in the ./Neo23x0/signature-base/yara/gen_cn_hacktools.yar
Neo23x0
commented
8 years ago Done. Thanks for reporting the issue.
xambroz
commented
8 years ago BTW if you are interested - there are some more rules, which are close to the 128 char boundary of yara, which could make it hard to prefix/rename the rules to something unique. Usually those automatically generated from multiple files like:
Neo23x0/yara/thor-webshells.yar: _w_php_php_c99madshell_v2_1_php_php_wacking_php_php_c99shell_v1_0_php_php_c99php_SpecialShell_99_php_php_ctt_sh_php_php
_w_php_php_c99madshell_v2_1_php_php_wacking_php_php_dC3_Security_Crew_Shell_PRiV_php_SpecialShell_99_php_php
_w_php_php_c99madshell_v2_1_php_php_wacking_php_php_c99shell_v1_0_php_php_c99php_SpecialShell_99_php_php_ctt_sh_php_php
As your Neo23x0/signature-base/yara/thor-webshells.yar is also in some version included in Yara-Rules/Webshells/WShell_THOR_Webshells.yar it makes it difficult to prefix/rename these rules to something unique automatically to not cause duplicities to yarac.
Hello Florian, please would you consider renaming the rule _kappfree_kelloworld_KiwiCmd_KiwiRegedit_KiwiTaskmgr_klock_mimikatz_sekurlsa_kappfree_kelloworld_KiwiCmd_KiwiRegedit_KiwiTaskmg to something shorter - like kiwi_tools_gentil_kiwi ?
The rule name is very long and makes it hard to prefix/rename to something unique when using your ruleset together with some other rulesets (like Yara-rules).
Thank you Michal Ambroz