/*Install Yara*/
#apt-get update
#apt-get install yara
#which yara
/usr/bin/yara
/*Download Yara Rules*/
#cd /usr/local/sbin
#mkdir ./yararules
#cd yararules
#git clone https://github.com/Yara-Rules/rules.git
#ll /usr/local/sbin/yararules/rules
/*Execute Yara*/
#yara --help
YARA 3.8.1, the pattern matching swiss army knife.
Usage: yara [OPTION]... [NAMESPACE:]RULES_FILE... FILE | DIR | PID
Mandatory arguments to long options are mandatory for short options too.
--atom-quality-table=FILE path to a file with the atom quality table
-c, --count print only number of matches
-d, --define=VAR=VALUE define external variable
--fail-on-warnings fail on warnings
-f, --fast-scan fast matching mode
-h, --help show this help and exit
-i, --identifier=IDENTIFIER print only rules named IDENTIFIER
-l, --max-rules=NUMBER abort scanning after matching a NUMBER of rules
--max-strings-per-rule=NUMBER set maximum number of strings per rule (default=10000)
-x, --module-data=MODULE=FILE pass FILE's content as extra data to MODULE
-n, --negate print only not satisfied rules (negate)
-w, --no-warnings disable warnings
-m, --print-meta print metadata
-D, --print-module-data print module data
-e, --print-namespace print rules' namespace
-S, --print-stats print rules' statistics
-s, --print-strings print matching strings
-L, --print-string-length print length of matched strings
-g, --print-tags print tags
-r, --recursive recursively search directories
-k, --stack-size=SLOTS set maximum stack size (default=16384)
-t, --tag=TAG print only rules tagged as TAG
-p, --threads=NUMBER use the specified NUMBER of threads to scan a directory
-a, --timeout=SECONDS abort scanning after the given number of SECONDS
-v, --version show version information
Send bug reports and suggestions to: vmalvarez@virustotal.com.
#yara -r -w -f -p 10 /usr/local/sbin/yararules/rules/index.yar /root 2>/dev/null
network_smtp_raw /root/test.pcap
Big_Numbers1 /root/test.pcap
sniff_lan /root/.config/wireshark/recent_common
with_sqlite /root/.local/share/evolution/addressbook/system/contacts.db
with_sqlite /root/.config/honeyd/names
Big_Numbers1 /root/md5_arpd.txt
vmdetect /root/.cache/gstreamer-1.0/registry.x86_64.bin
SurtrStrings /root/.cache/gstreamer-1.0/registry.x86_64.bin
Surtr /root/.cache/gstreamer-1.0/registry.x86_64.bin
with_sqlite /root/.cache/tracker/meta.db-wal
Friday, October 26, 2018
Install and use YARA at Linux
Friday, October 12, 2018
Using TCPKILL to send RST to cut off TCP connectivities
In Kali Linux, the tcpkill application is located at /usr/sbin/tcpkill.
Usage:
/usr/sbin/tcpkill -i NETWORK_INTERFACE -DEGREE TCPDUMP_FILTER_EXPRESSION
Example:
/usr/sbin/tcpkill -i eth0 -9 host 192.168.0.2 and host 192.168.3.10
NETWORK_INTERFACE is the network interface going to send out RST segments.
DEGREE is a number representing the rate of sending RST segments. The range of the number is from 1 to 9. The higher number, the faster rate. The filter expression of TCPDUMP can refer to the manual of TCPDUMP.
Usage:
/usr/sbin/tcpkill -i NETWORK_INTERFACE -DEGREE TCPDUMP_FILTER_EXPRESSION
Example:
/usr/sbin/tcpkill -i eth0 -9 host 192.168.0.2 and host 192.168.3.10
NETWORK_INTERFACE is the network interface going to send out RST segments.
DEGREE is a number representing the rate of sending RST segments. The range of the number is from 1 to 9. The higher number, the faster rate. The filter expression of TCPDUMP can refer to the manual of TCPDUMP.
Subscribe to:
Posts (Atom)