Skip to content

R
rules
Switch branch/tag
Find file
BlameHistoryPermalink
image.yar 811 Bytes
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 
/*
    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and 
    open to any user or organization, as long as you use it under this license.
*/

rule with_images {
	meta:
		author = "Antonio Sanchez <asanchez@hispasec.com>"
		reference = "http://laboratorio.blogs.hispasec.com/"
		description = "Rule to detect the presence of an or several images"
	strings:
		$a = ".jpg" nocase
		$b = ".png" nocase
		$c = ".bmp" nocase
	condition:
		any of them
}

rule without_images {
	meta:
		author = "Antonio Sanchez <asanchez@hispasec.com>"
		reference = "http://laboratorio.blogs.hispasec.com/"
		description = "Rule to detect the no presence of any image"
	strings:
		$a = ".jpg" nocase
		$b = ".png" nocase
		$c = ".bmp" nocase
	condition:
		not $a and not $b and not $c
}