From 7696794a23c9d1723879bef5a83ab004426da6a1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Stucke?= Date: Mon, 18 Nov 2024 16:58:04 +0100 Subject: [PATCH] feat: added some software signatures (mbed TLS, file, opkg) --- .../signatures/crypto.yara | 13 ++++++++- .../signatures/software.yara | 29 +++++++++++++++++++ .../data/software_component_test_list.txt | 1 + 3 files changed, 42 insertions(+), 1 deletion(-) diff --git a/src/plugins/analysis/software_components/signatures/crypto.yara b/src/plugins/analysis/software_components/signatures/crypto.yara index 145bab09d0..3b4b30781f 100644 --- a/src/plugins/analysis/software_components/signatures/crypto.yara +++ b/src/plugins/analysis/software_components/signatures/crypto.yara @@ -1,3 +1,15 @@ +rule mbed_TLS { + meta: + software_name = "mbed TLS" + open_source = true + website = "https://github.com/Mbed-TLS/mbedtls" + description = "embedded library for cryptography, X.509 certificate manipulation and the SSL/TLS and DTLS protocols" + strings: + $a = /mbed TLS \d+\.\d+\.\d+/ ascii + condition: + $a and no_text_file +} + rule OpenSSL { meta: @@ -24,4 +36,3 @@ rule SSLeay condition: $a and no_text_file } - diff --git a/src/plugins/analysis/software_components/signatures/software.yara b/src/plugins/analysis/software_components/signatures/software.yara index b149a15225..be95201b01 100644 --- a/src/plugins/analysis/software_components/signatures/software.yara +++ b/src/plugins/analysis/software_components/signatures/software.yara @@ -54,6 +54,35 @@ rule jQuery $a } +rule libmagic_file { + meta: + software_name = "file" + open_source = true + website = "https://www.darwinsys.com/file/" + description = "file type guesser" + version_regex = "\\d\\.\\d+" + format_string = true + strings: + $a = "%s-%s" ascii + $b = "File: file.c,v" ascii + condition: + $a and $b +} + +rule OPKG { + meta: + software_name = "OPKG" + open_source = true + website = "https://openwrt.org/docs/guide-user/additional-software/opkg" + description = "Opkg lightweight embedded package manager" + version_regex = "[0-9a-z]{40} \\(\\d{4}-\\d{2}-\\d{2}\\)" + strings: + $a = "opkg version %s\n" nocase ascii + $b = /[0-9a-z]{40} \(\d{4}-\d{2}-\d{2}\)/ ascii + condition: + $a and $b +} + rule Perl { meta: diff --git a/src/plugins/analysis/software_components/test/data/software_component_test_list.txt b/src/plugins/analysis/software_components/test/data/software_component_test_list.txt index 8a7b2a1e81..177b7abead 100644 --- a/src/plugins/analysis/software_components/test/data/software_component_test_list.txt +++ b/src/plugins/analysis/software_components/test/data/software_component_test_list.txt @@ -65,6 +65,7 @@ libpcap version 1.5.2 libsqlite3-3.8.11.1.so libupnp-1.6.18 lighttpd-1.4.18 +mbed TLS 2.16.3 nc -h for help netatalk-2.2.0 nginx version: nginx/1.13.3