Sneed-Reactivity/yara-mikesxrs/patrickrolsen/PCAPs.yar
Sam Sneed 08e8d462fe OMG ISTG PLS WORK
RED PILL 🔴 💊
2024-07-25 12:43:35 -05:00

15 lines
No EOL
371 B
Text

rule FE_PCAPs
{
meta:
author = "@patrickrolsen"
maltype = "N/A"
version = "0.1"
description = "Find FireEye PCAPs uploaded to Virus Total"
date = "12/30/2013"
strings:
$magic = {D4 C3 B2 A1}
$ip1 = {0A 00 00 ?? C7 10 C7 ??} // "10.0.0.?? -> 199.16.199.??
$ip2 = {C7 10 C7 ?? 0A 00 00 ??} // "199.16.199.?? -> 10.0.0.??"
condition:
$magic at 0 and all of ($ip*)
}