-
Notifications
You must be signed in to change notification settings - Fork 577
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
"Linux hack tools - file screen" match on OSX FP? #35
Comments
Interesting - these are the strings and all of them have to match to trigger the rule.
|
Could you run the tool and see what it does? My research shows unambiguous results:
|
OK, I replaced the rule with better ones. |
OK, have run a scan on /usr with 15.2 and the new sig base. That match is gone, these though have shown up instead. ,Scanning /usr ... |
That's good news. |
Excellent, I'll close this then. |
|20160401T09:02:06Z,s-MacBook-Pro.local,WARNING,Yara Rule MATCH: LinuxHacktool_eyes_screen TYPE: UNKNOWN DESCRIPTION: Linux hack tools - file screen FILE: /usr/bin/screen FIRST_BYTES: cffaedfe07000001030000800200000011000000 / MD5: add6935225e31b5d6672cd2fa3a238bf SHA1: 827dcbe3f792bcb099af63e2a2c9c5f8edcbcf40 SHA256: 7294dbfec928009ac30646fa2d18c8525a35aff172d4ebc81035032525c8394c MATCHES: Str1: or: %s -r [host.tty] Str2: %s: process: character, ^x, or (octal) \032 expected. Str3: Type "screen [-d] -r [pid.]tty.host" to resum ... (truncated)
Any thoughts?
The text was updated successfully, but these errors were encountered: