Marking Surtr referenced rules RSharedStrings, RemoteStrings, and…

Marking Surtr referenced rules RSharedStrings, RemoteStrings, and GmRemoteStrings as private to limit false alerts. RSharedStrings alerts on Microsoft signed wininet.dll 6B39A43271B0A631EAEFDAFDD51D17E3 SharedStrings alerts on Microsoft signed ntoskrnl.exe 68762D4C4412B4BB52BE2FC11F977503 Signed-off-by: Ryan B <randomrhythm@rhythmengineering.com>

Marking Surtr referenced rules RSharedStrings, RemoteStrings, and…
Marking Surtr referenced rules RSharedStrings, RemoteStrings, and GmRemoteStrings as private to limit false alerts. RSharedStrings alerts on Microsoft signed wininet.dll 6B39A43271B0A631EAEFDAFDD51D17E3 SharedStrings alerts on Microsoft signed ntoskrnl.exe 68762D4C4412B4BB52BE2FC11F977503 Signed-off-by: Ryan B <randomrhythm@rhythmengineering.com>
1384b638 · Ryan B · 0364f63b · 1384b638
Commit 1384b638 authored 4 years ago by Ryan B
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 3 deletions

MALW_Surtr.yar malware/MALW_Surtr.yar +3 -3

No files found.
--- a/malware/MALW_Surtr.yar
+++ b/malware/MALW_Surtr.yar
@@ -5,7 +5,7 @@

 import "pe"

-rule RSharedStrings : Surtr Family {
+private rule RSharedStrings : Surtr Family {
 	meta:
 		description = "identifiers for remote and gmremote"
 		author = "Katie Kleemola"
@@ -24,7 +24,7 @@ rule RSharedStrings : Surtr Family {

 }

-rule RemoteStrings : Remote Variant Surtr Family {
+private rule RemoteStrings : Remote Variant Surtr Family {
 	meta:
 		description = "indicators for remote.dll - surtr stage 2"
 		author = "Katie Kleemola"
@@ -39,7 +39,7 @@ rule RemoteStrings : Remote Variant Surtr Family {
 		any of them
 }

-rule GmRemoteStrings : GmRemote Variant Family Surtr {
+private rule GmRemoteStrings : GmRemote Variant Family Surtr {
 	meta:
 		description = "identifiers for gmremote: surtr stage 2"
 		author = "Katie Kleemola"