Convert Figma logo to code with AI

Neo23x0 logosignature-base

YARA signature and IOC database for my scanners and tools

2,458
604
2,458
15
View on GitHub

Top Related Projects

Yara-Rules's avatar

rules

4,153

Repository of yara rules

eset's avatar

malware-ioc

1,631

Indicators of Compromises (IOC) of our various investigations

mandiant's avatar

red_team_tool_countermeasures

2,646

Quick Overview

Neo23x0/signature-base is a repository containing a collection of detection rules, IOCs (Indicators of Compromise), and other signatures for various security tools. It's primarily used for threat detection and incident response, providing a comprehensive set of signatures that can be integrated into security information and event management (SIEM) systems, intrusion detection systems (IDS), and other security tools.

Pros

  • Extensive collection of signatures covering a wide range of threats and malware
  • Regularly updated to include new and emerging threats
  • Compatible with multiple security tools and platforms
  • Open-source and community-driven, allowing for contributions and improvements

Cons

  • Requires regular updates to maintain effectiveness against new threats
  • May generate false positives if not properly tuned for specific environments
  • Requires knowledge of security tools and threat detection to effectively implement
  • Some signatures may be specific to certain tools or formats, limiting their universal applicability

Getting Started

To use the signatures from this repository:

  1. Clone the repository:

    git clone https://github.com/Neo23x0/signature-base.git

  2. Navigate to the specific folder containing the signatures you need (e.g., yara, sigma, iocs)

  3. Integrate the signatures into your security tools according to their documentation and your specific use case

  4. Regularly update the repository to get the latest signatures:

    cd signature-base
git pull

  5. Consider contributing back to the project by submitting pull requests for new or improved signatures

Note: The specific implementation will vary depending on the security tools you're using and the type of signatures you're working with.

Competitor Comparisons

Yara-Rules logo

rules

4,153

Repository of yara rules

Pros of rules

  • Larger collection of YARA rules, covering a wider range of threats
  • More frequent updates and contributions from the community
  • Organized into categories, making it easier to find specific types of rules

Cons of rules

  • Less curated, potentially leading to more false positives
  • May include outdated or less reliable rules
  • Lacks some of the additional tools and scripts found in signature-base

Code Comparison

signature-base example:

rule SUSP_LNK_SmallImageSize_June23 {
    meta:
        description = "Detects suspicious LNK files with small icon image sizes"
        author = "Florian Roth"
        date = "2023-06-05"
    condition:
        uint32(0x0) == 0x0000004c and uint32(0x4c) < 0x100
}

rules example:

rule MALWARE_Win_Havoc {
    meta:
        author = "ditekSHen"
        description = "Detects Havoc C2"
    strings:
        $s1 = "havoc.x64.dll" fullword ascii
        $s2 = "havoc.x86.dll" fullword ascii
    condition:
        uint16(0) == 0x5a4d and all of them
}

Both repositories provide valuable YARA rules for threat detection, but they differ in scope and curation. signature-base offers a more focused set of rules with additional tools, while rules provides a larger, community-driven collection covering a broader range of threats.

eset logo

malware-ioc

1,631

Indicators of Compromises (IOC) of our various investigations

Pros of malware-ioc

  • Focuses specifically on malware Indicators of Compromise (IoCs)
  • Provides IoCs in multiple formats (MISP, STIX, etc.)
  • Regular updates from ESET's malware research team

Cons of malware-ioc

  • Narrower scope, primarily focused on malware-related IoCs
  • Less comprehensive detection rules compared to signature-base
  • May require additional processing to integrate with some security tools

Code Comparison

signature-base example (YARA rule):

rule SUSP_LNK_SmallFile_with_PDFMagic {
   meta:
      description = "Detects suspicous LNK file with PDF magic header"
   strings:
      $s1 = { 4C 00 00 00 01 14 02 00 00 00 00 00 C0 00 00 00 }
      $s2 = "%PDF-"
   condition:
      uint32(0) == 0x0000004c and filesize < 1KB and all of them
}

malware-ioc example (STIX format):

<stix:STIX_Package>
  <stix:Indicators>
    <stix:Indicator>
      <indicator:Type>File Hash Watchlist</indicator:Type>
      <indicator:Observable>
        <cybox:Object>
          <cybox:Properties xsi:type="FileObj:FileObjectType">
            <FileObj:Hashes>
              <cyboxCommon:Hash>
                <cyboxCommon:Type>MD5</cyboxCommon:Type>
                <cyboxCommon:Simple_Hash_Value>a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6</cyboxCommon:Simple_Hash_Value>
              </cyboxCommon:Hash>
            </FileObj:Hashes>
          </cybox:Properties>
        </cybox:Object>
      </indicator:Observable>
    </stix:Indicator>
  </stix:Indicators>
</stix:STIX_Package>
mandiant logo

red_team_tool_countermeasures

2,646

Pros of red_team_tool_countermeasures

  • Focuses specifically on countermeasures against red team tools, providing targeted defense strategies
  • Includes YARA rules and IOCs for detecting specific red team tools and techniques
  • Regularly updated with new countermeasures as new red team tools emerge

Cons of red_team_tool_countermeasures

  • Narrower scope compared to signature-base, which covers a broader range of threats
  • May require more frequent updates to stay relevant against evolving red team tactics
  • Less comprehensive coverage of general malware and threat detection

Code Comparison

signature-base YARA rule example:

rule SUSP_LNK_SmallImageSize {
   meta:
      description = "Detects a suspicious LNK file with a small image size"
      author = "Florian Roth"
   strings:
      $s1 = "\\RECYCLER\\" wide
   condition:
      uint16(0) == 0x004c and
      filesize < 1KB and
      $s1
}

red_team_tool_countermeasures YARA rule example:

rule Backdoor_Win_REDFLARE_1
{
    meta:
        description = "Detects REDFLARE backdoor"
    strings:
        $s1 = "initialize" fullword
        $s2 = "runCommand" fullword
    condition:
        uint16(0) == 0x5A4D and
        filesize < 1000KB and
        all of them
}

Both repositories provide valuable YARA rules for threat detection, but red_team_tool_countermeasures focuses more on specific red team tools, while signature-base offers a broader range of detection capabilities.

Convert Figma logo designs to code with AI

Visual Copilot

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

Build Status Active Development

Signature-Base

Signature-Base is the YARA signature and IOC database for our scanners LOKI and THOR Lite

Focus of Signature-Base

  1. High quality YARA rules and IOCs with minimal false positives
  2. Clear structure
  3. Consistent rule format

Directory Structure

  • iocs - Simple IOC files (CSV)
  • yara - YARA rules
  • threatintel - Threat Intel API Receiver (MISP, OTX)
  • misc - Other input files (not IOCs or signatures)

External Variables in YARA Rules

Using the YARA rules in a tool other than LOKI or THOR Lite will cause errors stating an undefined identifier. The rules that make use of external variables have been moved to the following files:

  • ./yara/generic_anomalies.yar
  • ./yara/general_cloaking.yar
  • ./yara/gen_webshells_ext_vars.yar
  • ./yara/thor_inverse_matches.yar
  • ./yara/yara_mixed_ext_vars.yar
  • ./yara/configured_vulns_ext_vars.yar
  • ./yara/gen_fake_amsi_dll.yar
  • ./yara/expl_citrix_netscaler_adc_exploitation_cve_2023_3519.yar
  • ./yara/yara-rules_vuln_drivers_strict_renamed.yar

Just remove these files in case you see the above error message.

High Quality YARA Rules Feed

If you liked my rules, please check our commercial rule set and rule feed service, which contains better and 20 times the number of rules.

FAQs

How can I report false positives?

Use the issues section of this repository.

How can I help with bugs in rules?

Navigate to the file in this repository. Click on the "edit" symbol in the upper right corner. Edit the file and create a pull request.

How can I provide a YARA rule or IOCs?

I accept pull requests. See this thread for some help on how to create such a request.

What are the differences between THOR Lite and LOKI?

See our comparison table here.

License

On 13.08.2021 this repository switched its license to "Detection Rule License (DRL) 1.1" (URL: https://raw.githubusercontent.com/Neo23x0/signature-base/master/LICENSE). The last version of the rule set released under the old CC-BY-NC can be found here.

All signatures and IOC files in this repository, except the YARA rules that explicitly indicate a different license (see "license" meta data), are licensed under the Detection Rule License (DRL) 1.1.