Skip to content
Signature base for my scanner tools
Branch: master
Clone or download
Florian Roth
Latest commit 9c1aff0 Mar 8, 2019
Type Name Latest commit message Commit time
Failed to load latest commit information.
iocs False Positive Reduction Mar 8, 2019
misc Mimikatz log file type Dec 20, 2017
threatintel new false positive IOC list Oct 27, 2018
.gitignore .gitignore update Feb 2, 2019
sig-base-rules.csv Sigbase rules CSV update Feb 11, 2019

Build Status


signature-base is the signature database for my scanners LOKI and SPARK Core

Directory Structure

  • iocs - Simple IOC files (CSV)
  • yara - YARA rules
  • threatintel - Threat Intel API Receiver (MISP, OTX)
  • misc - Other input files (not IOCs or signatures)

External Variables in YARA Rules

Using the YARA rules in a tool other than LOKI, SPARK or SPARK Core will cause errors stating an undefined identifier. The rules that make use of external variables have been moved to the following 4 rule set files:

  • ./yara/generic_anomalies.yar
  • ./yara/general_cloaking.yar
  • ./yara/thor_inverse_matches.yar
  • ./yara/yara_mixed_ext_vars.yar

High Quality YARA Rules Feed

If you liked my rules, please check our commercial rule set and rule feed service, which contains better and 20 times the number of rules.


Creative Commons License

All signatures and IOC files in this repository, except the YARA rules created by 3rd parties, are licensed under the Creative Commons Attribution-NonCommercial 4.0 International License.

The license of this repository changed in August 2018. All forks or copies of this repository that were created before August 26th of 2018 are licensed under GPL 3.0. you can find the last GPL version in the release section.

You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.