[clamav-users] Anyone uses US-CERT's yara rules?
Alessandro Vesely
vesely at tana.it
Fri Mar 16 17:14:33 UTC 2018
US-CERT alerts often contain a "consolidated rule set for malware associated with" the relevant activity. See e.g.:
https://www.us-cert.gov/ncas/alerts/TA18-074A
Yara rules are listed, so that they can be copied and pasted into a file to be saved in /var/lib/clamav in order for clamscan to use it. Doing so results in the following:
LibClamAV Warning: load_oneyara[verify]: wide modifier [w] is not supported for regex subsigs
LibClamAV Warning: load_oneyara: clamav cannot support 1 input strings, skipping YARA.z_webshell
bookmarks-2017-02-27.json: YARA.APT_malware_1.UNOFFICIAL FOUND
bookmarks-2017-05-13.json: YARA.APT_malware_1.UNOFFICIAL FOUND
bookmarks-2018-02-19.json: YARA.APT_malware_1.UNOFFICIAL FOUND
Those bookmarks (Firefox exported stuff) are flagged because they contain "/icon.png". That rule is authored by "DHS | NCCIC Code Analysis Team".
I guess US-CERT rules are not for end users like me, but I'd be curious if they end up (possibly modified) in some easy-to-download clamav database.
Ale
More information about the clamav-users
mailing list