Hi Jim, You are very welcome. :)
Well if you are running Yara under Windows, an interesting project would be to use TrID to guess the file type, write a script to parse its output, define an external variable (a string containing the filetype) and check this from the yara rule [2]. Of course another option is to start your own magic database using Yara rules. I know nothing public, so it will probably be well received by the community. Maybe is possible to convert a "magic rule" [3] to "yara rule" even programatically. [1] http://mark0.net/soft-trid-e.html. [2] https://yara.readthedocs.io/en/v3.5.0/writingrules.html#external-variables [3] https://github.com/file/file/tree/master/magic/Magdir Att, @MercesFernando mentebinaria.com.br <http://www.mentebinaria.com.br> --------------------------- On Sat, Nov 26, 2016 at 11:26 PM, Corum Irsei <[email protected]> wrote: > You might find what you are looking for here: > > http://yararules.com/ > > > On Friday, November 25, 2016 at 1:21:44 PM UTC-6, [email protected] > wrote: >> >> Is there an existing rules repository for file types that can be >> downloaded and used with Yara? >> >> For example, a file type rule for PE files: >> >> Rule IsPE >> >> { >> >> condition: >> >> // MZ signature at offset 0 and ... >> >> uint16(0) == 0x5A4D and >> >> // ... PE signature at offset stored in MZ header at 0x3C >> >> uint32(uint32(0x3C)) == 0x00004550 >> >> } >> >> >> Thanks, >> >> Jim >> > -- > You received this message because you are subscribed to the Google Groups > "YARA" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "YARA" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
