Rule specs #13

KosmX · 2023-06-13T12:43:28Z

Matching rules

Standard way for representing JVM malware signatures.
Rules should be similar to Yara rules (just for JVM application) This means

Binary sequence matches (mostly for asset matching)
Filtered Java ASM instruction sequences (for example only check for method invocations, but all of them)
Ability to match only in selected functions could be useful
Optionally limit file/asm sequence matches to files/classes/functions (Updater.class/* or */<clinit>)
filename matches (with regex)
function name/id matches
Match conditions like "at least 10" or "$a or $b and $c" (multiple match conditions has to be allowed)
per-malware threat level and lookup ID. Lookup ID should direct users to a website dedicated to malware details and removal guide.
per-rule match id allowing us to see exact matching details.

The text was updated successfully, but these errors were encountered:

KosmX · 2023-06-13T12:46:15Z

1 malware can have multiple rules, 1 rule can have multiple matches and conditions

KosmX added the documentation Improvements or additions to documentation label Jun 13, 2023

KosmX mentioned this issue Jun 13, 2023

Yara rule like pattern syntax #5

Open

KosmX linked a pull request Jun 13, 2023 that will close this issue

2.0 rewrite #14

Draft

25 tasks