Skip to content

phbiohazard/Yara

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 

Repository files navigation

Yara rules UPDATED twice a day

Spectific rules for specific needs on files detections.

The particularity of SPECTRE.PTN is that it uses the YARA engine to try to detect the SHA256 of malicious codes that are present in the file system.

Most of the hashes come from ABUSE.CH but some are added according to our needs. We found some false positives so that's why we use our false positive database of over 70,000 entries that is running before the SPECTRE.PTN file is generated, which minimizes the risk of irrelevant alerts.

SPECTRE.PTN is updated every 12 hours 7 days a week.

To optimize scanning time, do not scan the Windows directory unless you believe it is necessary.

To scan with spectre.ptn, use the USERS directories, including the network directories and especially %APPDATA%, which is a hidden directory under the Windowws\Users directory

HOW TO USE:

Syntaxe : Yara -r spectre.ptn c:\directory

Please check YARA documentation for the syntax under Linux OS.

Tested with YARA v3.2.0 & v4.2.2

---Thanks---

Thanks for the ABUSE.CH DB that is the main contents of the spectre.ptn

A big thanks for the contribution of Benoit Deries that is followed the project instructions from Marc Blanchard

About

Rules detections contributions

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published