42 lines
No EOL
890 B
Text
42 lines
No EOL
890 B
Text
rule NetWiredRC_B : rat
|
|
{
|
|
meta:
|
|
description = "NetWiredRC"
|
|
author = "Jean-Philippe Teissier / @Jipe_"
|
|
date = "2014-12-23"
|
|
filetype = "memory"
|
|
version = "1.1"
|
|
|
|
strings:
|
|
$mutex = "LmddnIkX"
|
|
|
|
$str1 = "%s.Identifier"
|
|
$str2 = "%d:%I64u:%s%s;"
|
|
$str3 = "%s%.2d-%.2d-%.4d"
|
|
$str4 = "[%s] - [%.2d/%.2d/%d %.2d:%.2d:%.2d]"
|
|
$str5 = "%.2d/%.2d/%d %.2d:%.2d:%.2d"
|
|
|
|
$klg1 = "[Backspace]"
|
|
$klg2 = "[Enter]"
|
|
$klg3 = "[Tab]"
|
|
$klg4 = "[Arrow Left]"
|
|
$klg5 = "[Arrow Up]"
|
|
$klg6 = "[Arrow Right]"
|
|
$klg7 = "[Arrow Down]"
|
|
$klg8 = "[Home]"
|
|
$klg9 = "[Page Up]"
|
|
$klg10 = "[Page Down]"
|
|
$klg11 = "[End]"
|
|
$klg12 = "[Break]"
|
|
$klg13 = "[Delete]"
|
|
$klg14 = "[Insert]"
|
|
$klg15 = "[Print Screen]"
|
|
$klg16 = "[Scroll Lock]"
|
|
$klg17 = "[Caps Lock]"
|
|
$klg18 = "[Alt]"
|
|
$klg19 = "[Esc]"
|
|
$klg20 = "[Ctrl+%c]"
|
|
|
|
condition:
|
|
$mutex or (1 of ($str*) and 1 of ($klg*))
|
|
} |