Added moar YARA rules!

Picked the "quick wins" from this repo. E.g. the *_index.yar* files that contained several rules from the same author and didn't make ClamAV upset :) Need to vet the rest of the rules at some point. The repo was referenced in this paper: https://journal.cecyf.fr/ojs/index.php/cybin/article/view/24
pyllyukko · Nov 22, 2023 · 3fd1768 · 3fd1768
1 parent d87b81c
commit 3fd1768
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -78,7 +78,7 @@ For a complete list you can run `ansible-playbook --list-tasks harden.yml`.
 * [ClamAV](https://www.clamav.net/) configuration (see [clamav.yml](tasks/clamav.yml))
     * Configures `clamd` & `freshclam` by first generating fresh configurations with [clamconf](https://docs.clamav.net/manual/Usage/Configuration.html#clamconf)
     * Configured ClamAV to unarchive with password "infected" (see [Passwords for archive files](https://docs.clamav.net/manual/Signatures/EncryptedArchives.html) & [ClamAV and ZIP File Decryption](https://blog.didierstevens.com/2017/02/15/quickpost-clamav-and-zip-file-decryption/))
-    * Downloads YARA rules from [Neo23x0](https://github.com/Neo23x0/signature-base), [GCTI](https://github.com/chronicle/GCTI), [Elastic](https://github.com/elastic/protections-artifacts), [YaraRules Project](https://yara-rules.github.io/blog/), [JPCERT/CC](https://github.com/JPCERTCC/jpcert-yara) & [Malpedia](https://malpedia.caad.fkie.fraunhofer.de/) for [ClamAV to use](https://docs.clamav.net/manual/Signatures/YaraRules.html)
+    * Downloads YARA rules from [Neo23x0](https://github.com/Neo23x0/signature-base), [GCTI](https://github.com/chronicle/GCTI), [Elastic](https://github.com/elastic/protections-artifacts), [YaraRules Project](https://yara-rules.github.io/blog/), [JPCERT/CC](https://github.com/JPCERTCC/jpcert-yara), [Malpedia](https://malpedia.caad.fkie.fraunhofer.de/) & [Open-Source-YARA-rules](https://github.com/mikesxrs/Open-Source-YARA-rules) for [ClamAV to use](https://docs.clamav.net/manual/Signatures/YaraRules.html)
 * [rkhunter](https://sourceforge.net/projects/rkhunter/) configuration (see [rkhunter.yml](tasks/rkhunter.yml))
 * [Lynis](https://cisofy.com/lynis/) configuration (see [lynis.yml](tasks/lynis.yml))
 * Configures AIDE (see [aide.yml](tasks/aide.yml))

diff --git a/tasks/clamav.yml b/tasks/clamav.yml
@@ -2775,6 +2775,19 @@
             - https://raw.githubusercontent.com/malpedia/signator-rules/main/rules/win.zumanek_auto.yar
             - https://raw.githubusercontent.com/malpedia/signator-rules/main/rules/win.zupdax_auto.yar
             - https://raw.githubusercontent.com/malpedia/signator-rules/main/rules/win.zxxz_auto.yar
+            - https://raw.githubusercontent.com/mikesxrs/Open-Source-YARA-rules/master/Vinsula/Vinsula_index.yara
+            - https://raw.githubusercontent.com/mikesxrs/Open-Source-YARA-rules/master/plxsertr/plxsertr_index.yara
+            - https://raw.githubusercontent.com/mikesxrs/Open-Source-YARA-rules/master/RSA/RSA_index.yar
+            - https://raw.githubusercontent.com/mikesxrs/Open-Source-YARA-rules/master/Mike%20Schladt/Mike_Schladt_index.yara
+            - https://raw.githubusercontent.com/mikesxrs/Open-Source-YARA-rules/master/Rapid7/Rapid7_index.yara
+            - https://raw.githubusercontent.com/mikesxrs/Open-Source-YARA-rules/master/McAfee/McAfee_index.yara
+            - https://raw.githubusercontent.com/mikesxrs/Open-Source-YARA-rules/master/iocbucket/iocbucket_index.yara
+            - https://raw.githubusercontent.com/mikesxrs/Open-Source-YARA-rules/master/malc0de/malc0de_index.yara
+            - https://raw.githubusercontent.com/mikesxrs/Open-Source-YARA-rules/master/Spider-labs/Spiderlabs_index.yara
+            - https://raw.githubusercontent.com/mikesxrs/Open-Source-YARA-rules/master/73mp74710n/73mp74710n_index.yara
+            - https://raw.githubusercontent.com/mikesxrs/Open-Source-YARA-rules/master/Zerk%20Labs/Zerk_Labs_index.yara
+            - https://raw.githubusercontent.com/mikesxrs/Open-Source-YARA-rules/master/crowdstrike/Crowdstrike_index.yara
+            - https://raw.githubusercontent.com/mikesxrs/Open-Source-YARA-rules/master/phoul/phoul_index.yara
             - https://raw.githubusercontent.com/Te-k/cobaltstrike/master/rules.yar
             - https://raw.githubusercontent.com/advanced-threat-research/Yara-Rules/master/malware/MALW_cobaltstrike.yar
             - https://raw.githubusercontent.com/avast/ioc/master/CobaltStrike/yara_rules/cs_rules.yar