Merge pull request #247 from FliegenEinhorn/master

Thanks! moving rule maldoc_OLE_file_magic_number to utils/magic.yar

Merge pull request #247 from FliegenEinhorn/master
Thanks! moving rule maldoc_OLE_file_magic_number to utils/magic.yar
eced3058 · Antonio Sánchez · GitHub · 472fbbc2 · c20179c3 · eced3058
Commit eced3058 authored Jul 11, 2017 by Antonio Sánchez Committed by GitHub Jul 11, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 14 additions and 10 deletions

maldoc_somerules.yar Malicious_Documents/maldoc_somerules.yar +0 -10

magic.yar utils/magic.yar +14 -0

No files found.
--- a/Malicious_Documents/maldoc_somerules.yar
+++ b/Malicious_Documents/maldoc_somerules.yar
@@ -127,16 +127,6 @@ rule maldoc_getEIP_method_4 : maldoc
        any of them
 }
-rule maldoc_OLE_file_magic_number : maldoc
-{
-    meta:
-        author = "Didier Stevens (https://DidierStevens.com)"
-    strings:
-        $a = {D0 CF 11 E0}
-    condition:
-        $a
-}
 // 20150909 - Issue #39 - Commented because of High FP rate
 /*
 rule maldoc_suspicious_strings : maldoc

--- a/utils/magic.yar
+++ b/utils/magic.yar
+/*
+    This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as    long as you use it under this license.
+*/
+rule maldoc_OLE_file_magic_number : maldoc
+{
+    meta:
+        author = "Didier Stevens (https://DidierStevens.com)"
+    strings:
+        $a = {D0 CF 11 E0}
+    condition:
+        $a
+}