Hey Matt, Probably because of your beginning and end of line markers you have it wrapped in. I forget how yara handles that but I'm pretty sure that's not what you want there.
Also, fwiw, I've written and use email scanning/detection tools at $dayjob, and I can tell you that almost every single email has a link inside of it of some kind. Good luck! - John Davison On Tue, Jul 2, 2019 at 4:11 PM Matt Oney <[email protected]> wrote: > I'm new to yara rules and we just got them activated on the FireEye ETP... > I 've read enough to start playing around and testing. > > I just want the yara rule to fire(monitor mode) if a user receives a url > within the email... > > I have a good match - > https://regex101.com/r/L20l2w/1/ > > I wrote the rule like such... > /* > This Yara ruleset is under the GNU-GPLv2 license ( > http://www.gnu.org/licenses/gpl-2.0.html) and > open to any user or organization, as long as you use it under this > license. > */ > > > rule with_urls : mail { > meta: > author = "Antonio Sanchez <[email protected]>" > reference = "http://laboratorio.blogs.hispasec.com/"; > description = "Rule to detect the presence of an or several urls" > strings: > > > $url_regex = > /^(http:\/\/www\.|https:\/\/www\.|http:\/\/|https:\/\/)?[a-z0-9]+([\-\.]{1}[a-z0-9]+)*\.[a-z]{2,5}(:[0-9]{1,5})?(\/.*)?$/ > > > condition: > any of them > } > > but I can't get it to fire on a simple email with this in the body > > http://youtube.com > > *the other thing is FIreEye ETP makes you pick Header Body or Attachment > (I've tried it on all 3) > > *there is even more complicated regex url's that seem to match everything > and these are HUGE - > https://gist.github.com/gruber/8891611 > > I'd definitely appreciate any thoughts to point me in the right > direction... thanks! > > -- > You received this message because you are subscribed to the Google Groups > "YARA" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/yara-project/52ee3b95-744d-4ec2-8fa2-9832ab96fda3%40googlegroups.com > <https://groups.google.com/d/msgid/yara-project/52ee3b95-744d-4ec2-8fa2-9832ab96fda3%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- John W. Davison [email protected] -- You received this message because you are subscribed to the Google Groups "YARA" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/yara-project/CANTOGZuXZwG1FGvs3MWFO5obzpmEyd%3Dx3Vif9Y7GncoKoxT0CA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
