Skip to content

Commit

Permalink
Update TOOLKIT_Mandibule.yar
Browse files Browse the repository at this point in the history
  • Loading branch information
@jovimon
jovimon committed Jun 2, 2018
1 parent ff43fad commit b496aad
Showing 1 changed file with 0 additions and 9 deletions.
9 changes: 0 additions & 9 deletions malware/TOOLKIT_Mandibule.yar
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,15 +52,6 @@ private rule is__hex_mid_mandibule32 {
3 of them
}

private rule is__elf {
meta:
author = "@mmorenog,@yararules"
strings:
$header = { 7F 45 4C 46 }
condition:
$header at 0
}

rule TOOLKIT_Mandibule {
meta:
description = "Generic detection for ELF Linux process injector mandibule generic"
Expand Down

5 comments on commit b496aad

@unixfreaxjp
Copy link
Contributor

@unixfreaxjp unixfreaxjp commented on b496aad Jun 4, 2018
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why you deleted the ELF header?? Without it the rule is useless. And this is Linux ELF binary injection. I am proposing a revoke for your changes: master...unixfreaxjp:patch-1
@jovimon
Cc @mmorenog @Xyl2k

@Maijin
Copy link

@Maijin Maijin commented on b496aad Jun 4, 2018
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://github.com/Yara-Rules/rules/blob/master/malware/000_common_rules.yar#L10 It is still here, they just moved it to a more generic location so it can be used for more than your rules ;)

@unixfreaxjp
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

At least. commenting something is expected on deletion, we don’t do telepathic communication in gitland..

@jovimon
Copy link
Member Author

@jovimon jovimon commented on b496aad Jun 5, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You are right, should have explained it better but was quite in a hurry.
Will add a banner later on the affected rules.
Sorry for the inconvenience and thanks @Maijin for answering.

@Maijin
Copy link

@Maijin Maijin commented on b496aad Jun 5, 2018
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jovimon was wondering, isn't YARA already able to check for header via the ELF module http://yara.readthedocs.io/en/v3.7.1/modules/elf.html ?

Please sign in to comment.