I'm new to yara rules and we just got them activated on the FireEye ETP... I 've read enough to start playing around and testing.
I just want the yara rule to fire(monitor mode) if a user receives a url within the email... I have a good match - https://regex101.com/r/L20l2w/1/ I wrote the rule like such... /* This Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license. */ rule with_urls : mail { meta: author = "Antonio Sanchez <[email protected]>" reference = "http://laboratorio.blogs.hispasec.com/"; description = "Rule to detect the presence of an or several urls" strings: $url_regex = /^(http:\/\/www\.|https:\/\/www\.|http:\/\/|https:\/\/)?[a-z0-9]+([\-\.]{1}[a-z0-9]+)*\.[a-z]{2,5}(:[0-9]{1,5})?(\/.*)?$/ condition: any of them } but I can't get it to fire on a simple email with this in the body http://youtube.com *the other thing is FIreEye ETP makes you pick Header Body or Attachment (I've tried it on all 3) *there is even more complicated regex url's that seem to match everything and these are HUGE - https://gist.github.com/gruber/8891611 I'd definitely appreciate any thoughts to point me in the right direction... thanks! -- You received this message because you are subscribed to the Google Groups "YARA" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/yara-project/52ee3b95-744d-4ec2-8fa2-9832ab96fda3%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
