-
Notifications
You must be signed in to change notification settings - Fork 20
/
INFO_ELF_Contains_iptable.yar
46 lines (39 loc) · 1.18 KB
/
INFO_ELF_Contains_iptable.yar
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
rule INFO_ELF_Contains_iptables
{
meta:
author = "Greg Lesnewich"
date = "2024-01-21"
version = "1.0"
description = "track ELF files that reference iptables likely for portforwarding, redirecting, or listening "
DaysofYARA = "21/100"
strings:
$ = "iptables" ascii wide
condition:
uint32be(0) == 0x7F454C46 and all of them
}
rule INFO_ELF_Contains_iptables_b64
{
meta:
author = "Greg Lesnewich"
date = "2024-01-21"
version = "1.0"
description = "track ELF files that reference iptables likely for portforwarding, redirecting, or listening "
DaysofYARA = "21/100"
strings:
$ = "iptables" base64 base64wide
condition:
uint32be(0) == 0x7F454C46 and all of them
}
rule INFO_ELF_Contains_iptables_xor
{
meta:
author = "Greg Lesnewich"
date = "2024-01-21"
version = "1.0"
description = "track ELF files that reference iptables likely for portforwarding, redirecting, or listening "
DaysofYARA = "21/100"
strings:
$ = "iptables" xor(0x01-0xff) ascii wide
condition:
uint32be(0) == 0x7F454C46 and all of them
}