By the way, there is an open pull request to add a "URL module" do Yara: https://github.com/VirusTotal/yara/pull/1085
Not sure how it'll end up though. :) Att, Fernando Mercês <https://twitter.com/mer0x36> | menteb.in On Wed, Jul 3, 2019 at 12:42 PM John Davison <[email protected]> wrote: > Hey Matt, > > Probably because of your beginning and end of line markers you have it > wrapped in. I forget how yara handles that but I'm pretty sure that's not > what you want there. > > Also, fwiw, I've written and use email scanning/detection tools at > $dayjob, and I can tell you that almost every single email has a link > inside of it of some kind. > > Good luck! > > - John Davison > > On Tue, Jul 2, 2019 at 4:11 PM Matt Oney <[email protected]> wrote: > >> I'm new to yara rules and we just got them activated on the FireEye >> ETP... I 've read enough to start playing around and testing. >> >> I just want the yara rule to fire(monitor mode) if a user receives a url >> within the email... >> >> I have a good match - >> https://regex101.com/r/L20l2w/1/ >> >> I wrote the rule like such... >> /* >> This Yara ruleset is under the GNU-GPLv2 license ( >> http://www.gnu.org/licenses/gpl-2.0.html) and >> open to any user or organization, as long as you use it under this >> license. >> */ >> >> >> rule with_urls : mail { >> meta: >> author = "Antonio Sanchez <[email protected]>" >> reference = "http://laboratorio.blogs.hispasec.com/"; >> description = "Rule to detect the presence of an or several urls" >> strings: >> >> >> $url_regex = >> /^(http:\/\/www\.|https:\/\/www\.|http:\/\/|https:\/\/)?[a-z0-9]+([\-\.]{1}[a-z0-9]+)*\.[a-z]{2,5}(:[0-9]{1,5})?(\/.*)?$/ >> >> >> condition: >> any of them >> } >> >> but I can't get it to fire on a simple email with this in the body >> >> http://youtube.com >> >> *the other thing is FIreEye ETP makes you pick Header Body or Attachment >> (I've tried it on all 3) >> >> *there is even more complicated regex url's that seem to match everything >> and these are HUGE - >> https://gist.github.com/gruber/8891611 >> >> I'd definitely appreciate any thoughts to point me in the right >> direction... thanks! >> >> -- >> You received this message because you are subscribed to the Google Groups >> "YARA" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/yara-project/52ee3b95-744d-4ec2-8fa2-9832ab96fda3%40googlegroups.com >> <https://groups.google.com/d/msgid/yara-project/52ee3b95-744d-4ec2-8fa2-9832ab96fda3%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> For more options, visit https://groups.google.com/d/optout. >> > > > -- > John W. Davison > [email protected] > > -- > You received this message because you are subscribed to the Google Groups > "YARA" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/yara-project/CANTOGZuXZwG1FGvs3MWFO5obzpmEyd%3Dx3Vif9Y7GncoKoxT0CA%40mail.gmail.com > <https://groups.google.com/d/msgid/yara-project/CANTOGZuXZwG1FGvs3MWFO5obzpmEyd%3Dx3Vif9Y7GncoKoxT0CA%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "YARA" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/yara-project/CAM7p17ME33gW0n4h0Twp%2B2OC3g9x6mNEFAm-9SrJSCpVGJzpkQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
