Closed malvidin closed 4 years ago
I recommend commenting out the olepackagestream and xor dispatcher rules from the default YARA rules, unless those plugins are added to this repository.
olepackagestream
xor
https://github.com/PUNCH-Cyber/stoq-plugins-public/blob/8aaf3b97dc3972ca852d2a73a7899afa7394f9bb/yara/yarascan/rules/dispatcher.yar#L56 https://github.com/PUNCH-Cyber/stoq-plugins-public/blob/8aaf3b97dc3972ca852d2a73a7899afa7394f9bb/yara/yarascan/rules/dispatcher.yar#L135
Adding a YARA rule for SMTP dispatching would be nice, like the following:
rule smtp_message { meta: plugin = "smtp" save = "True" strings: $crlf2 = { 0D 0A 0D 0A} // Values required in the email header $hdr_subject = "\nSubject:" nocase $hdr_received = "\nReceived:" nocase condition: for all of ($hdr_*) : ( @[1] < @crlf2[1] ) }
I can put together a pull request if this is one or more of those changes should happen.
I recommend commenting out the
olepackagestreamandxordispatcher rules from the default YARA rules, unless those plugins are added to this repository.https://github.com/PUNCH-Cyber/stoq-plugins-public/blob/8aaf3b97dc3972ca852d2a73a7899afa7394f9bb/yara/yarascan/rules/dispatcher.yar#L56 https://github.com/PUNCH-Cyber/stoq-plugins-public/blob/8aaf3b97dc3972ca852d2a73a7899afa7394f9bb/yara/yarascan/rules/dispatcher.yar#L135
Adding a YARA rule for SMTP dispatching would be nice, like the following:
I can put together a pull request if this is one or more of those changes should happen.