Create ipv4_pub

yara rule to ONLY match PUBLIC IPv4 address

Create ipv4_pub
yara rule to ONLY match PUBLIC IPv4 address
c8c198a4 · garanews · GitHub · 0d301454 · c8c198a4
Commit c8c198a4 authored Dec 02, 2016 by garanews Committed by GitHub Dec 02, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 17 additions and 0 deletions

ipv4_pub utils/ipv4_pub +17 -0

No files found.
--- a/utils/ipv4_pub
+++ b/utils/ipv4_pub
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as
+    long as you use it under this license.
+    This rule:
+    doesn't match this invalid ips (ex. 999.999.999.999)
+    doesn't match local IPs (172.16.0.9)
+    doesn't match broadcast IPs (ex. 60.123.247.255)
+    */
+
+rule IP {
+    meta:
+        author = "garanews"
+    strings:
+        $ip = /([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(?<!172\.(16|17|18|19|20|21|22|23|24|25|26|27|28|29|30|31))(?<!127)(?<!^10)(?<!^0)\.([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(?<!192\.168)(?<!172\.(16|17|18|19|20|21|22|23|24|25|26|27|28|29|30|31))\.([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(?<!\.0$)(?<!\.255$)
+    condition:
+        $ip
+}