Common Information
| Type | Value |
|---|---|
| Value |
rule drovorub_kernel_module_unique_strings {
meta:
description = "Rule detects the Drovorub-kernel module based on unique strings."
strings:
$s_01 = "/proc" ascii wide
$s_02 = "/proc/net/packet" ascii wide
$s_03 = "/proc/net/raw" ascii wide
$s_04 = "/proc/net/tcp" ascii wide
$s_05 = "/proc/net/tcp6" ascii wide
$s_06 = "/proc/net/udp" ascii wide
$s_07 = "/proc/net/udp6" ascii wide
$s_08 = "cs02" ascii wide
$s_09 = "do_fork" ascii wide
$s_10 = "es01" ascii wide
$s_11 = "g001" ascii wide
$s_12 = "g002" ascii wide
$s_13 = "i001" ascii wide
$s_14 = "i002" ascii wide
$s_15 = "i003" ascii wide
$s_16 = "i004" ascii wide
$s_17 = "module" ascii wide
$s_18 = "sc!^2a" ascii wide
$s_19 = "sysfs" ascii wide
$s_20 = "tr01" ascii wide
$s_21 = "tr02" ascii wide
$s_22 = "tr03" ascii wide
$s_23 = "tr04" ascii wide
$s_24 = "tr05" ascii wide
$s_25 = "tr06" ascii wide
$s_26 = "tr07" ascii wide
$s_27 = "tr08" ascii wide
$s_28 = "tr09" ascii wide
condition:
all of them
}
|
| Category | |
| Type | Yara Rule |
| Misp Type | |
| Description |