Showing posts with label Florian Roth. Show all posts
Showing posts with label Florian Roth. Show all posts

Thursday, December 5, 2019

Neo23x0 Sigma Proxy Rules converted to simple Yara

rule Neo23x0SigmaUserAgentMatch
{
meta:
 author = "@neonprimetime"
 description = "@Neo23x0 Proxy User Agent Rules https://github.com/Neo23x0/sigma/tree/master/rules/proxy"
strings:
 $string1 = "(compatible;MSIE"
 $string2 = "BFAC"
 $string3 = "BGroom"
 $string4 = "CholTBAgent"
 $string5 = "Havij"
 $string7 = "adlib/"
 $string8 = "arachni/"
 $string9 = "asd"
 $string10 = "brutus"
 $string11 = "cgichk"
 $string12 = "changhuatong"
 $string13 = "crimscanner/"
 $string14 = "inspath"
 $string15 = "mdms"
 $string16 = "metis"
 $string17 = "pxyscand"
 $string18 = "tiny"
 $string19 = "vega/"
 $string20 = "whcc/"
 $string21 = "zmeu"
 $string22 = "(Charon; Inferno)"
 $string23 = "(hydra)"
 $string24 = ".0;Windows NT"
 $string25 = "<|>"
 $string26 = "Bot"
 $string27 = "Microsoft Internet Explorer"
 $string28 = "Telegram"
 $string29 = "absinthe"
 $string30 = "bsqlbf"
 $string31 = "core-project/1.0"
 $string32 = "datacha0s"
 $string33 = "dirbuster"
 $string34 = "domino hunter"
 $string35 = "dotdotpwn"
 $string36 = "exploit"
 $string37 = "floodgate"
 $string38 = "get-minimal"
 $string39 = "gootkit auto-rooter scanner"
 $string40 = "grendel-scan"
 $string41 = "internet ninja"
 $string42 = "jaascois"
 $string43 = "masscan"
 $string44 = "morfeus fucking scanner"
 $string45 = "mysqloit"
 $string46 = "n-stealth"
 $string47 = "nsauditor"
 $string48 = "pangolin"
 $string49 = "pmafind"
 $string50 = "security scan"
 $string51 = "springenwerk"
 $string52 = "sql power injector"
 $string53 = "sqlmap"
 $string54 = "sqlninja"
 $string55 = "teh forest lobster"
 $string56 = "toata dragostea"
 $string57 = "uil2pn"
 $string58 = "voideye"
 $string59 = "webshag"
 $string60 = "webvulnscan"
 $string61 = "wordpress hash grabber"
 $string62 = "zeroup"
 $string63 = "AutoIt"
 $string64 = "CertUtil URL Agent"
 $string65 = "DotDotPwn v2.1"
 $string66 = "FHScan Core"
 $string67 = "HttpBrowser/1.0"
 $string68 = "IczelionDownLoad"
 $string69 = "Internet Explorer"
 $string75 = "Moxilla"
 $string78 = "Mozilla v5.1 (Windows NT 6.1; rv:6.0.1) Gecko/20100101 Firefox/6.0.1"
 $string79 = "Mozilla v5.1"
 $string80 = "Mozilla/1.0"
 $string81 = "Mozilla/2.0"
 $string83 = "Mozilla/4.0 (compatible; MSI 6.0;"
 $string84 = "Mozilla/4.0 (compatible; MSIE 11.0; Windows NT 6.1; SV1)"
 $string85 = "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"
 $string86 = "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)"
 $string87 = "Mozilla/4.0 (compatible; MSIE 6.0; DynGate)"
 $string88 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR  1.1.4322)"
 $string89 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
 $string90 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; InfoPath.1)"
 $string91 = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2)"
 $string92 = "Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)"
 $string93 = "Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)"
 $string94 = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0)"
 $string95 = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
 $string96 = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; SIMBAR = {7DB0F6DE-8DE7-4841-9084-28FA914B0F2E}; SLCC1; .N"
 $string97 = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)"
 $string98 = "Mozilla/4.0 (compatible; MSIE 7.4; Win32;32-bit)"
 $string99 = "Mozilla/4.0 (compatible; MSIE 8.0; Win32)"
 $string100 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)"
 $string101 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1)"
 $string102 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)"
 $string103 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.0)"
 $string104 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; SV1)"
 $string105 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0)"
 $string106 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; .NET CLR 1.1.4322)"
 $string107 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NETCLR 2.0.50727)"
 $string108 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64)"
 $string109 = "Mozilla/4.0 (compatible; Metasploit RSPEC)"
 $string110 = "Mozilla/4.0 (compatible; RMS)"
 $string111 = "Mozilla/4.0 (compatible; SPIPE/1.0"
 $string112 = "Mozilla/4.0 (compatible;MSIE 7.0;Windows NT 6.0)"
 $string114 = "Mozilla/4.0(compatible; MSIE 6.0; Windows NT 5.1)"
 $string115 = "Mozilla/5.0 (Windows NT 10.0; Win32; x32; rv:60.0)"
 $string117 = "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0)"
 $string118 = "Mozilla/5.0 (Windows NT 5.1 ; v."
 $string119 = "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
 $string120 = "Mozilla/5.0 (Windows NT 6.1; WOW64) WinHttp/1.6.3.8 (WinHTTP/5.1) like Gecko"
 $string121 = "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:53.0) Gecko/20100101 Chrome /53.0"
 $string122 = "Mozilla/5.0 (Windows NT 6.2; WOW64; rv:20.0) Gecko/20100101 Firefox/"
 $string123 = "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0"
 $string124 = "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0"
 $string125 = "Mozilla/5.0 (Windows NT 6.3; rv:39.0) Gecko/20100101 Firefox/35.0"
 $string126 = "Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/2"
 $string127 = "Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 Firefox/20.0"
 $string128 = "Mozilla/5.0 (Windows NT 9;"
 $string129 = "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.13 (KHTML, like Gecko) Chrome/4.0.221.6 Safari/525.13"
 $string130 = "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Firefox/3.6.13 GTB7.1"
 $string131 = "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.1 (.NET CLR 3.5.30729)"
 $string132 = "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.1 (.NET CLR 3.5.30731)"
 $string133 = "Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)"
 $string134 = "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/200"
 $string135 = "Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-EN; rv:1.7.12) Gecko/20100719 Firefox/1.0.7"
 $string136 = "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
 $string137 = "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0;  Trident/5.0"
 $string138 = "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
 $string139 = "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; MAAU)"
 $string140 = "Mozilla/5.0 WinInet"
 $string142 = "Mozilla/6.1 (compatible; MSIE 9.0; Windows NT 5.3; Trident/5.0)"
 $string143 = "Netscape"
 $string144 = "O/9.27 (W; U; Z)"
 $string146 = "Opera/8.81 (Windows NT 6.0; U; en)"
 $string147 = "RookIE/1.0"
 $string148 = "SIPDROID"
 $string149 = "SJZJ (compatible; MSIE 6.0; Win32)"
 $string150 = "Sametime Community Agent"
 $string151 = "User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC"
 $string152 = "Wget/1.9+cvs-stable (Red Hat modified)"
 $string154 = "X-FORWARDED-FOR"
 $string155 = "XMRig"
 $string157 = "backdoorbot"
 $string158 = "ccminer"
 $string159 = "hots scot"
 $string160 = "nocase"
 $string161 = "nsis_inetc (mozilla)"
 $string162 = "ruler"
 $string163 = "sample"
 $string164 = "user-agent"
condition:
 1 of them
}
Posted by at No comments:
Labels: , , , , , ,
Subscribe to: Posts (Atom)