Skip to content

R
rules
Commit 65a48377 by Antonio S
Options

Some rules to detect features in emails

parent 45b4c6d9
Showing with 235 additions and 0 deletions
email/attachment.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and
open to any user or organization, as long as you use it under this license.
*/
rule with_attachment {
meta:
author = "Antonio Sanchez <asanchez@hispasec.com>"
reference = "http://laboratorio.blogs.hispasec.com/"
description = "Rule to detect the presence of an or several attachments"
strings:
$attachment_id = "X-Attachment-Id"
condition:
$attachment_id
}
rule without_attachments {
meta:
author = "Antonio Sanchez <asanchez@hispasec.com>"
reference = "http://laboratorio.blogs.hispasec.com/"
description = "Rule to detect the no presence of any attachment"
strings:
$attachment_id = "X-Attachment-Id"
condition:
not $attachment_id
}
email/bank_rule.yar 0 → 100644
rule davivienda {
strings:
$nombre = "davivienda" nocase
condition:
all of them
}
email/email_ruleset.yar 0 → 100644
include "bank_rule.yar"
include "attachment.yar"
include "urls.yar"
include "image.yar"
\ No newline at end of file
email/eml/davivienda.eml 0 → 100644
x-store-info: sbevkl2QZR7OXo7WID5ZcdJYDvlIhT9Ry8z1HDFOqPjB91wGb3fbQExX2186RFgx+kM0vJNpCgJPCUbrLyBQ8uWPO5Rr4ijSsl6TMA6ERuioTiOLvTIHPW3H0uRef3MF06HvY8fYXKiRbY3+uDBTWA==
Authentication-Results: hotmail.com; spf=fail (sender IP is 192.196.156.109; identity alignment result is pass and alignment mode is relaxed) smtp.mailfrom=novedades@davivienda.com; dkim=none (identity alignment result is pass and alignment mode is relaxed) header.d=davivienda.com; x-hmca=fail header.id=novedades@davivienda.com
X-SID-PRA: novedades@davivienda.com
X-AUTH-Result: FAIL
X-SID-Result: FAIL
X-Message-Status: n:n
X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0wO0Q9MTtHRD0xO1NDTD0y
X-Message-Info: NhFq/7gR1vSiC5C9ieUYJFnDrDlTksH8+5ClhfnJ+qVU2+/eikAOsxTnB3WLU3Ab8g2pE//33+fSMylb41VHKxSl9Ezj9MbPSbwOetSdYu+NhNdwerJ6KovNz+xxzEK9n+Upu/d+Kq89dwf3Xz8RHBidCOG4Enzoa9/bRZu9vtflFZXERz87QwDx300zveEw+yFCBYLb+2hwioqONd/vRHI89gecXRnAkgLD5L4D3NuHCTSvssQ1KA==
Received: from host.invocenetwork.com ([192.196.156.109]) by COL004-MC3F17.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.23143);
Sun, 27 Sep 2015 22:24:35 -0700
Received: from [46.183.221.40] (port=52102 helo=IP-221-40)
by host.invocenetwork.com with esmtpa (Exim 4.85)
(envelope-from <novedades@davivienda.com>)
id 1ZgQvS-0008OD-KK
for email_account@hotmail.com; Mon, 28 Sep 2015 00:24:34 -0500
Message-ID: <02051372-42275-c5523503943056@ip-221-40>
From: "Davivienda S.A" <novedades@davivienda.com>
To: email_account@hotmail.com
Subject: Valide y Evite Fraudes en sus Productos
Date: Mon, 26 Nov 2015 10:25:33 +0300
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable
X-Priority: 3
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - host.invocenetwork.com
X-AntiAbuse: Original Domain - hotmail.com
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - davivienda.com
X-Get-Message-Sender-Via: host.invocenetwork.com: authenticated_id: email2@baco.com.ec
X-Source:
X-Source-Args:
X-Source-Dir:
Return-Path: novedades@davivienda.com
X-OriginalArrivalTime: 28 Sep 2015 05:24:35.0706 (UTC) FILETIME=[F6AEE5A0:01D0F9AD]
<html>
<style type="text/css">
.ecxyahoo_quoted div div .ecxy_msg_container #ecxyiv2643982918 div table tbody tr td font {
font-family: "Trebuchet MS", Arial, Helvetica, sans-serif;
font-size: 14px;
}
.ecxyahoo_quoted div div .ecxy_msg_container #ecxyiv2643982918 div table tbody tr td font div p {
font-family: "Trebuchet MS", Arial, Helvetica, sans-serif;
}
.ecxyahoo_quoted div div .ecxy_msg_container #ecxyiv2643982918 div table tbody tr td font b {
color: #000;
font-size: 14px;
}
.ecxyahoo_quoted div div .ecxy_msg_container #ecxyiv2643982918 div table tbody tr td font div p {
font-family: "Trebuchet MS", Arial, Helvetica, sans-serif;
}
.ecxyahoo_quoted div div .ecxy_msg_container #ecxyiv2643982918 div table tbody tr td font div p {
font-size: 12px;
}
.ecxyahoo_quoted div div .ecxy_msg_container #ecxyiv2643982918 div table tbody tr td div table tbody tr th div font span strong a {
color: #9A0001;
}
.ecxyahoo_quoted div div .ecxy_msg_container #ecxyiv2643982918 div table tbody tr td div p a {
color: #A40000;
font-weight: bold;
}
</style>
<font face="Arial" size="2"><br>
</font>
<div>
<div style="color:#000;background-color:#fff;font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:12pt;">
<div class="ecxyahoo_quoted" style="display:block;">
<div style="font-family:HelveticaNeue, 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;font-size:12pt;">
<div style="font-family:'Trebuchet MS', Arial, Helvetica, sans-serif; font-size:14px;"><br>
<div class="ecxy_msg_container"><div id="ecxyiv2643982918"><div><table border="0" cellpadding="0" cellspacing="0" align="center" bgcolor="#FFFFFF"> <tbody><tr>
<td align="center"><img src="http://www.davivienda.com/Documents/wcm?biblio=WCM_DAVIVIENDA_COM&nombre=SAC_cabezote.JPG"></td>
</tr></tbody></table><div>&nbsp;</div>
<table border="0" cellpadding="0" cellspacing="0" align="center" bgcolor="#FFFFFF" width="609">
<tbody>
<tr> <td> <div align="center">
<table align="left" border="0" cellpadding="0"
cellspacing="0" height="25" width="593">
<tbody>
<tr>
<th width="446"
align="center"
style="font-family:'Trebuchet MS',
sans-serif;font-size:14px;color:#333333;text-align:justify;" scope="col"><strong><font size="3" face="arial">ESTIMADO CLIENTE:</font></strong></th>
</tr>
</tbody>
</table>
<font face="arial" size="3"><br>
<br>
</font></div>
<div>
<p><font size="4" face="arial">Durante las &uacute;ltimas horas se ha incrementado la actividad de ataques fraudulentos, con el f&iacute;n de robar la informaci&oacute;n de acceso a sitios transaccionales.</font></p>
<p><font size="4" face="arial">Para una mayor seguridad en sus productos Davivienda le invitamos a validar el acceso a su cuenta para evitar posibles fraudes.</font></p>
<p><font size="3" face="arial"><img src="http://i.imgur.com/4BDCkRF.png" width="6" height="9"> Ingrese al men&uacute; a continuaci&oacute;n, <em><a href="http://dominiofraudulento.com/path">www.davivienda.com /Transacciones /Consultas</a></em></font></p>
<p><font size="3" face="arial"><img src="http://i.imgur.com/4BDCkRF.png" width="6" height="9"> Digite su <em>usuario y claves de acceso</em>, para que nuestro sistema sincronize su informaci&oacute;n.</font></p>
<p><font size="3" face="arial">Cordialmente,</font> </p>
<table width="268" border="0">
<tr>
<td width="213"><font size="3" face="arial"><b>DAVIVIENDA S.A</b></font></td>
</tr>
<tr>
<td><font size="3" face="arial">Estrategia de Seguridad</font></td>
</tr>
</table></div></td> </tr></tbody></table><div>&nbsp;</div><table border="0" cellpadding="0" cellspacing="0" align="center" bgcolor="#FFFFFF"> <tbody><tr>
<td align="center"><img src="http://www.davivienda.com/Documents/wcm?biblio=WCM_DAVIVIENDA_COM&nombre=SAC_pie"></td>
</tr></tbody></table>
</div>
</div>
<div align="center">
<table width="64%" border="0" cellpadding="0">
<tr>
<td>
<div align="center"><font size="2">Le recordamos que esta
direcci�n de e-mail es utilizada solamente para los env�os
de la informaci�n solicitada. Por favor no responda con consultas
personales ya que no podr�n ser atendidas.<br>
<br>
BANCO DAVIVIENDA<br>
AVISO LEGAL : Este mensaje es confidencial, puede contener
informaci�n privilegiada y no puede ser usado ni divulgado
por personas distintas de su destinatario. Si obtiene esta
transmisi�n por error, por favor destruya su contenido y
avise a su remitente. esta prohibida su retenci�n, grabaci�n,
utilizaci�n, aprovechamiento o divulgaci�n con cualquier prop�sito. Este mensaje ha sido
sometido a programas antivirus. No obstante, el BANCO DAVIVIENDA
S.A. y sus FILIALES no asumen ninguna responsabilidad por eventuales da�os generados
por el recibo y el uso de este material, siendo responsabilidad
del destinatario verificar con sus propios medios la existencia
de virus u otros defectos. El presente correo electr�nico
solo refleja la opini�n de su Remitente y no representa
necesariamente la opini�n oficial del BANCO DAVIVIENDA S.A.
y sus FILIALES o de sus Directivos.</font></div>
</td>
</tr>
</table>
<p><br>
</p>
</div>
</div> </div>
</div> </div> </div></div>
</html>
email/image.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and
open to any user or organization, as long as you use it under this license.
*/
rule with_images {
meta:
author = "Antonio Sanchez <asanchez@hispasec.com>"
reference = "http://laboratorio.blogs.hispasec.com/"
description = "Rule to detect the presence of an or several images"
strings:
$a = ".jpg" nocase
$b = ".png" nocase
$c = ".bmp" nocase
condition:
any of them
}
rule without_images {
meta:
author = "Antonio Sanchez <asanchez@hispasec.com>"
reference = "http://laboratorio.blogs.hispasec.com/"
description = "Rule to detect the no presence of any image"
strings:
$a = ".jpg" nocase
$b = ".png" nocase
$c = ".bmp" nocase
condition:
not $a and not $b and not $c
}
email/urls.yar 0 → 100644
/*
This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and
open to any user or organization, as long as you use it under this license.
*/
rule with_urls {
meta:
author = "Antonio Sanchez <asanchez@hispasec.com>"
reference = "http://laboratorio.blogs.hispasec.com/"
description = "Rule to detect the presence of an or several urls"
strings:
$url_regex = /https?:\/\/([\w\.-]+)([\/\w \.-]*)/
condition:
all of them
}
rule without_urls {
meta:
author = "Antonio Sanchez <asanchez@hispasec.com>"
reference = "http://laboratorio.blogs.hispasec.com/"
description = "Rule to detect the no presence of any url"
strings:
$url_regex = /https?:\/\/([\w\.-]+)([\/\w \.-]*)/
condition:
not $url_regex
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment