Merge pull request #237 from xambroz/master

Add eml context to Yara-rules/email to avoid matching these for every file

Merge pull request #237 from xambroz/master
Add eml context to Yara-rules/email to avoid matching these for every file
d613c098 · Antonio Sánchez · GitHub · f6ea141a · 6b3e91a7 · d613c098
Commit d613c098 authored Jun 13, 2017 by Antonio Sánchez Committed by GitHub Jun 13, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 30 additions and 5 deletions

attachment.yar email/attachment.yar +8 -1

image.yar email/image.yar +13 -4

urls.yar email/urls.yar +9 -0

No files found.
--- a/email/attachment.yar
+++ b/email/attachment.yar
@@ -21,7 +21,14 @@ rule without_attachments : mail {
 		reference = "http://laboratorio.blogs.hispasec.com/"
 		description = "Rule to detect the no presence of any attachment"
 	strings:
+                $eml_01 = "From:"
+                $eml_02 = "To:"
+                $eml_03 = "Subject:"
 		$attachment_id = "X-Attachment-Id"
+                $mime_type = "Content-Type: multipart/mixed"
 	condition:
-		not $attachment_id
+                all of ( $eml_* ) and
+		not $attachment_id and 
+                not $mime_type
 }
+
--- a/email/image.yar
+++ b/email/image.yar
@@ -9,11 +9,15 @@ rule with_images : mail {
 		reference = "http://laboratorio.blogs.hispasec.com/"
 		description = "Rule to detect the presence of an or several images"
 	strings:
-		$a = ".jpg" nocase
-		$b = ".png" nocase
-		$c = ".bmp" nocase
+                $eml_01 = "From:"
+                $eml_02 = "To:"
+                $eml_03 = "Subject:"
+		$img_a = ".jpg" nocase
+		$img_b = ".png" nocase
+		$img_c = ".bmp" nocase
 	condition:
-		any of them
+                all of ( $eml_* ) and
+		any of ( $img_* )
 }

 rule without_images : mail {
@@ -22,9 +26,14 @@ rule without_images : mail {
 		reference = "http://laboratorio.blogs.hispasec.com/"
 		description = "Rule to detect the no presence of any image"
 	strings:
+                $eml_01 = "From:"
+                $eml_02 = "To:"
+                $eml_03 = "Subject:"
+
 		$a = ".jpg" nocase
 		$b = ".png" nocase
 		$c = ".bmp" nocase
 	condition:
+                all of ( $eml_* ) and
 		not $a and not $b and not $c
 }
--- a/email/urls.yar
+++ b/email/urls.yar
@@ -9,6 +9,10 @@ rule with_urls : mail {
 		reference = "http://laboratorio.blogs.hispasec.com/"
 		description = "Rule to detect the presence of an or several urls"
 	strings:
+                $eml_01 = "From:"
+                $eml_02 = "To:"
+                $eml_03 = "Subject:"
+
 		$url_regex = /https?:\/\/([\w\.-]+)([\/\w \.-]*)/
 	condition:
 		all of them
@@ -20,7 +24,12 @@ rule without_urls : mail {
 		reference = "http://laboratorio.blogs.hispasec.com/"
 		description = "Rule to detect the no presence of any url"
 	strings:
+                $eml_01 = "From:"
+                $eml_02 = "To:"
+                $eml_03 = "Subject:"
+
 		$url_regex = /https?:\/\/([\w\.-]+)([\/\w \.-]*)/
 	condition:
+                all of ( $eml_* ) and
 		not $url_regex
 }