From 17112e31d5e134eca65a3ca8c3b95d946835ca47 Mon Sep 17 00:00:00 2001
From: Marc Stroebel <marc.stroebel@hvs-consulting.de>
Date: Sun, 29 Dec 2024 14:51:29 +0100
Subject: [PATCH] Adding YARA signatures for nfs-security-tooling by HvS
 Consulting

---
 yara/hktl_HvS_nfs_security_tooling.yar | 49 ++++++++++++++++++++++++++
 1 file changed, 49 insertions(+)
 create mode 100644 yara/hktl_HvS_nfs_security_tooling.yar

diff --git a/yara/hktl_HvS_nfs_security_tooling.yar b/yara/hktl_HvS_nfs_security_tooling.yar
new file mode 100644
index 00000000..9e2f3857
--- /dev/null
+++ b/yara/hktl_HvS_nfs_security_tooling.yar
@@ -0,0 +1,49 @@
+rule fuse_nfs {
+   meta:
+      description = "Detects the nfs-security-tooling fuse_nfs by HvS Consulting"
+      license = "https://creativecommons.org/licenses/by-nc/4.0/"
+      author = "Moritz Oettle"
+      date = "2024-10-22"
+      reference1 = "https://github.com/hvs-consulting/nfs-security-tooling"
+
+   strings:
+      $s1 = "NFS3ConnectionFactory" fullword ascii
+      $s2 = "fuse_to_nfs_timestamp" fullword ascii
+      $s3 = "--manual-fh" fullword ascii
+      $s4 = "--fake-uid-allow-root" fullword ascii
+      $s5 = "nfs.rpc.credential" fullword ascii
+      $s6 = "nfs.readlink" fullword ascii
+      $s7 = "pyfuse3.EntryAttributes" fullword ascii
+      $s8 = "Make nested exports on NetApp servers work" fullword ascii
+      $s9 = "add_mutually_exclusive_group" fullword ascii
+
+   condition:
+      4 of them
+}
+
+rule nfs_analyze {
+   meta:
+      description = "Detects the nfs-security-tooling nfy_analyze by HvS Consulting"
+      license = "https://creativecommons.org/licenses/by-nc/4.0/"
+      author = "Marc Stroebel"
+      date = "2024-10-22"
+      reference1 = "https://github.com/hvs-consulting/nfs-security-tooling"
+      
+   strings:
+      $s1 = "no_root_squash_exports" fullword ascii
+      $s2 = "nfs lock manager" fullword ascii
+      $s3 = "netapp partner" fullword ascii
+      $s4 = "xdrdef.mnt3_type" fullword ascii
+      $s5 = "BTRFS subvolumes" fullword ascii
+      $s6 = "Unsupported fsid" fullword ascii
+      $s7 = "nfs3_read_etc_shadow" fullword ascii
+      $s8 = "nfs3_check_no_root_squash" fullword ascii
+      $s9 = "krb5i" fullword ascii
+      $s10 = "nfs4_overview" fullword ascii
+      $s11 = "--btrfs-subvolumes" fullword ascii
+      $s12 = "when escaping a BTRFS export" fullword ascii
+      $s13 = "No NFS server detected" fullword ascii
+
+   condition:
+      6 of them
+}