Recommended changes to YARA rule

chvancooten / NimPlant

A light-weight first-stage C2 implant written in Nim.

MIT License

779 stars 109 forks source link

Recommended changes to YARA rule #3

Closed Neo23x0 closed 1 year ago

Neo23x0 commented 1 year ago

Important changes:

2 condition bugs
Regex using .*

Optional changes:

Regex split up to strings

Neo23x0 commented 1 year ago

Further explanations:

($oep at pe.entry_point or $oep)

^ this part of the condition is just as saying $oep

or (any of ($s*) and any of ($r*)) 
          or any of ($r*)

^ this is just the same logic error. It's basically as if you would say

a and b or b

Neo23x0 commented 1 year ago

Regex issue

The regex contains .*, which is discouraged for performance reasons. Many YARA versions printed a warning that this slows down scanning ... because it really does. It's a major performance issue. You should try to avoid using a regex at all or at least reduce it to a range .{1,X}.

See https://github.com/Neo23x0/YARA-Performance-Guidelines/#regular-expressions

chvancooten commented 1 year ago

Thanks for the modifications and explanation, will be included for v1.1!