search

Yara-Rules / rules

Repository of yara rules
GNU General Public License v2.0
4.2k stars 1.01k forks source link

THOR rulesets introduce duplicate identifiers #81

Closed timothycovel closed 8 years ago

timothycovel commented 8 years ago

using an index file that includes each of the files under the malware directory generates duplicated identifier errors. Are these THOR files just subsets of already existing rules in other files? if so, then do they add any value? For now I am just manually removing them, but that is not ideal.

/home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3241): error: duplicated identifier "perlbot_pl" /home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3253): error: duplicated identifier "php_backdoor_php" /home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3265): error: duplicated identifier "Liz0ziM_Private_Safe_Mode_Command_Execuriton_Bypass_Exploit_php" /home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3276): error: duplicated identifier "Nshell1php_php" /home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3288): error: duplicated identifier "shankar_php_php" /home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3300): error: duplicated identifier "Casus15_php_php" /home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3312): error: duplicated identifier "small_php_php" /home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3326): error: duplicated identifier "shellbot_pl" /home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3339): error: duplicated identifier "fuckphpshell_php" /home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3353): error: duplicated identifier "ngh_php_php" /home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3365): error: duplicated identifier "jsp_reverse_jsp" /home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3378): error: duplicated identifier "Tool_asp" /home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3390): error: duplicated identifier "NT_Addy_asp" /home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3402): error: duplicated identifier "SimAttacker_Vrsion_1_00priv8_4_My_friend_php" /home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3414): error: duplicated identifier "RemExp_asp" /home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3426): error: duplicated identifier "phvayvv_php_php" /home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3439): error: duplicated identifier "klasvayv_asp" /home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3452): error: duplicated identifier "r57shell_php_php" /home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3465): error: duplicated identifier "rst_sql_php_php" /home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3477): error: duplicated identifier "wh_bindshell_py" /home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3489): error: duplicated identifier "lurm_safemod_on_cgi" /home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3499): error: duplicated identifier "c99madshell_v2_0_php_php" /home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3510): error: duplicated identifier "backupsql_php_often_with_c99shell" /home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3522): error: duplicated identifier "uploader_php_php" /home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3533): error: duplicated identifier "telnet_pl" /home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_Webshells.yar(3545): error: duplicated identifier "w3d_php_php" /home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_HackTools.yar(34): error: duplicated identifier "WindowsCredentialEditor" /home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_HackTools.yar(51): error: duplicated identifier "Amplia_Security_Tool" /home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_HackTools.yar(1545): error: duplicated identifier "EditServer" /home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_HackTools.yar(2797): error: duplicated identifier "CN_Toolset__XScanLib_XScanLib_XScanLib" /home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_HackTools.yar(2821): error: duplicated identifier "CN_Toolset_NTscan_PipeCmd" /home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_HackTools.yar(2841): error: duplicated identifier "CN_Toolset_LScanPortss_2" /home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_HackTools.yar(2858): error: duplicated identifier "CN_Toolset_sig_1433_135_sqlr" /home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_HackTools.yar(2873): error: duplicated identifier "DarkComet_Keylogger_File" /home/cuckoo-2.0_RC1/data/yara/rules/malware/THOR_HackTools.yar(3021): error: duplicated identifier "Mimikatz_Logfile"

jovimon commented 8 years ago

Hello Tim,

Thank you for bringing this to our attention.

Some of the rules in THOR_Webshells.yar and THOR_HackTools.yar were already in our misc file Miscelanea.yar and this caused the errors you saw. I checked them all and removed duplicates or renamed rules where needed. Malware directory should work fine now.

Regards.