Thursday, December 5, 2019

Neo23x0 Sigma Proxy Rules converted to simple Yara

rule Neo23x0SigmaUserAgentMatch
{
meta:
 author = "@neonprimetime"
 description = "@Neo23x0 Proxy User Agent Rules https://github.com/Neo23x0/sigma/tree/master/rules/proxy"
strings:
 $string1 = "(compatible;MSIE"
 $string2 = "BFAC"
 $string3 = "BGroom"
 $string4 = "CholTBAgent"
 $string5 = "Havij"
 $string7 = "adlib/"
 $string8 = "arachni/"
 $string9 = "asd"
 $string10 = "brutus"
 $string11 = "cgichk"
 $string12 = "changhuatong"
 $string13 = "crimscanner/"
 $string14 = "inspath"
 $string15 = "mdms"
 $string16 = "metis"
 $string17 = "pxyscand"
 $string18 = "tiny"
 $string19 = "vega/"
 $string20 = "whcc/"
 $string21 = "zmeu"
 $string22 = "(Charon; Inferno)"
 $string23 = "(hydra)"
 $string24 = ".0;Windows NT"
 $string25 = "<|>"
 $string26 = "Bot"
 $string27 = "Microsoft Internet Explorer"
 $string28 = "Telegram"
 $string29 = "absinthe"
 $string30 = "bsqlbf"
 $string31 = "core-project/1.0"
 $string32 = "datacha0s"
 $string33 = "dirbuster"
 $string34 = "domino hunter"
 $string35 = "dotdotpwn"
 $string36 = "exploit"
 $string37 = "floodgate"
 $string38 = "get-minimal"
 $string39 = "gootkit auto-rooter scanner"
 $string40 = "grendel-scan"
 $string41 = "internet ninja"
 $string42 = "jaascois"
 $string43 = "masscan"
 $string44 = "morfeus fucking scanner"
 $string45 = "mysqloit"
 $string46 = "n-stealth"
 $string47 = "nsauditor"
 $string48 = "pangolin"
 $string49 = "pmafind"
 $string50 = "security scan"
 $string51 = "springenwerk"
 $string52 = "sql power injector"
 $string53 = "sqlmap"
 $string54 = "sqlninja"
 $string55 = "teh forest lobster"
 $string56 = "toata dragostea"
 $string57 = "uil2pn"
 $string58 = "voideye"
 $string59 = "webshag"
 $string60 = "webvulnscan"
 $string61 = "wordpress hash grabber"
 $string62 = "zeroup"
 $string63 = "AutoIt"
 $string64 = "CertUtil URL Agent"
 $string65 = "DotDotPwn v2.1"
 $string66 = "FHScan Core"
 $string67 = "HttpBrowser/1.0"
 $string68 = "IczelionDownLoad"
 $string69 = "Internet Explorer"
 $string75 = "Moxilla"
 $string78 = "Mozilla v5.1 (Windows NT 6.1; rv:6.0.1) Gecko/20100101 Firefox/6.0.1"
 $string79 = "Mozilla v5.1"
 $string80 = "Mozilla/1.0"
 $string81 = "Mozilla/2.0"
 $string83 = "Mozilla/4.0 (compatible; MSI 6.0;"
 $string84 = "Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; SV1)"
 $string85 = "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"
 $string86 = "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)"
 $string87 = "Mozilla/4.0 (compatible; MSIE 6.0; DynGate)"
 $string88 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR  1.1.4322)"
 $string89 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
 $string90 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; InfoPath.1)"
 $string91 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2)"
 $string92 = "Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)"
 $string93 = "Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)"
 $string94 = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)"
 $string95 = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
 $string96 = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; SIMBAR = {7DB0F6DE-8DE7-4841-9084-28FA914B0F2E}; SLCC1; .N"
 $string97 = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)"
 $string98 = "Mozilla/4.0 (compatible; MSIE 7.4; Win32;32-bit)"
 $string99 = "Mozilla/4.0 (compatible; MSIE 8.0; Win32)"
 $string100 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)"
 $string101 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1)"
 $string102 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)"
 $string103 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.0)"
 $string104 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; SV1)"
 $string105 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0)"
 $string106 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; .NET CLR 1.1.4322)"
 $string107 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NETCLR 2.0.50727)"
 $string108 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64)"
 $string109 = "Mozilla/4.0 (compatible; Metasploit RSPEC)"
 $string110 = "Mozilla/4.0 (compatible; RMS)"
 $string111 = "Mozilla/4.0 (compatible; SPIPE/1.0"
 $string112 = "Mozilla/4.0 (compatible;MSIE 7.0;Windows NT 6.0)"
 $string114 = "Mozilla/4.0(compatible; MSIE 6.0; Windows NT 5.1)"
 $string115 = "Mozilla/5.0 (Windows NT 10.0; Win32; x32; rv:60.0)"
 $string117 = "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0)"
 $string118 = "Mozilla/5.0 (Windows NT 5.1 ; v."
 $string119 = "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
 $string120 = "Mozilla/5.0 (Windows NT 6.1; WOW64) WinHttp/1.6.3.8 (WinHTTP/5.1) like Gecko"
 $string121 = "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:53.0) Gecko/20100101 Chrome /53.0"
 $string122 = "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:20.0) Gecko/20100101 Firefox/"
 $string123 = "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0"
 $string124 = "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0"
 $string125 = "Mozilla/5.0 (Windows NT 6.3; rv:39.0) Gecko/20100101 Firefox/35.0"
 $string126 = "Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/2"
 $string127 = "Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0"
 $string128 = "Mozilla/5.0 (Windows NT 9;"
 $string129 = "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.13 (KHTML, like Gecko) Chrome/4.0.221.6 Safari/525.13"
 $string130 = "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Firefox/3.6.13 GTB7.1"
 $string131 = "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.1 (.NET CLR 3.5.30729)"
 $string132 = "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.1 (.NET CLR 3.5.30731)"
 $string133 = "Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)"
 $string134 = "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/200"
 $string135 = "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/20100719 Firefox/1.0.7"
 $string136 = "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
 $string137 = "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0;  Trident/5.0"
 $string138 = "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
 $string139 = "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MAAU)"
 $string140 = "Mozilla/5.0 WinInet"
 $string142 = "Mozilla/6.1 (compatible; MSIE 9.0; Windows NT 5.3; Trident/5.0)"
 $string143 = "Netscape"
 $string144 = "O/9.27 (W; U; Z)"
 $string146 = "Opera/8.81 (Windows NT 6.0; U; en)"
 $string147 = "RookIE/1.0"
 $string148 = "SIPDROID"
 $string149 = "SJZJ (compatible; MSIE 6.0; Win32)"
 $string150 = "Sametime Community Agent"
 $string151 = "User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC"
 $string152 = "Wget/1.9+cvs-stable (Red Hat modified)"
 $string154 = "X-FORWARDED-FOR"
 $string155 = "XMRig"
 $string157 = "backdoorbot"
 $string158 = "ccminer"
 $string159 = "hots scot"
 $string160 = "nocase"
 $string161 = "nsis_inetc (mozilla)"
 $string162 = "ruler"
 $string163 = "sample"
 $string164 = "user-agent"
condition:
 1 of them
}
Posted by at
Labels: , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)