Merge pull request avast#935 from avast/LZ_sha512_yara_pattern

Detection of SHA512 improved. Prevented YARA DoS on d251e8b3a5818132d…
GuinnessShep · Mar 17, 2021 · 469ed9e · 469ed9e
2 parents 4da009a + 3a94c2a
commit 469ed9e
Showing 1 changed file with 10 additions and 1 deletion.
diff --git a/support/yara_patterns/signsrch/signsrch.yara b/support/yara_patterns/signsrch/signsrch.yara
@@ -14225,10 +14225,19 @@ rule rfc3548_Base_32_Encoding__32_big_ASC_128_
 	condition:
 		$a0
 }
+
+rule SHA512__32_lil_AND_
+{
+	strings:
+		$a0 = { 08C9BCF3[1-6]67E6096A[0-6]3BA7CA84[0-6]85AE67BB[0-6]2BF894FE[0-6]72F36E3C[0-6]F1361D5F[0-6]3AF54FA5[0-6]D182E6AD[0-6]7F520E51[0-6]1F6C3E2B[0-6]8C68059B[0-6]6BBD41FB[0-6]ABD9831F[0-6]79217E13[0-6]19CDE05B }
+	condition:
+		$a0
+}
+
 rule SHA512__64_lil_AND_
 {
 	strings:
-		$a0 = { 08c9bcf367e6096a[0-20]3ba7ca8485ae67bb[0-20]2bf894fe72f36e3c[0-20]f1361d5f3af54fa5[0-20]d182e6ad7f520e51[0-20]1f6c3e2b8c68059b[0-20]6bbd41fbabd9831f[0-20]79217e1319cde05b[0-20]22ae28d7982f8a42[0-20]cd65ef2391443771[0-20]2f3b4deccffbc0b5[0-20]bcdb8981a5dbb5e9[0-20]38b548f35bc25639[0-20]19d005b6f111f159[0-20]9b4f19afa4823f92[0-20]18816ddad55e1cab[0-20]420203a398aa07d8[0-20]be6f7045015b8312[0-20]8cb2e44ebe853124[0-20]e2b4ffd5c37d0c55[0-20]6f897bf2745dbe72[0-20]b196163bfeb1de80[0-20]3512c725a706dc9b[0-20]942669cf74f19bc1[0-20]d24af19ec1699be4[0-20]e3254f388647beef[0-20]b5d58c8bc69dc10f[0-20]659cac77cca10c24[0-20]75022b596f2ce92d[0-20]83e4a66eaa84744a[0-20]d4fb41bddca9b05c[0-20]b5531183da88f976[0-20]abdf66ee52513e98[0-20]1032b42d6dc631a8[0-20]3f21fb98c82703b0[0-20]e40eefbec77f59bf[0-20]c28fa83df30be0c6[0-20]25a70a934791a7d5[0-20]6f8203e05163ca06[0-20]706e0e0a67292914[0-20]fc2fd246850ab727[0-20]26c9265c38211b2e[0-20]ed2ac45afc6d2c4d[0-20]dfb3959d130d3853[0-20]de63af8b54730a65[0-20]a8b2773cbb0a6a76[0-20]e6aeed472ec9c281[0-20]3b358214852c7292[0-20]6403f14ca1e8bfa2[0-20]013042bc4b661aa8[0-20]9197f8d0708b4bc2[0-20]30be5406a3516cc7[0-20]1852efd619e892d1[0-20]10a96555240699d6[0-20]2a20715785350ef4[0-20]b8d1bb3270a06a10[0-20]c8d0d2b816c1a419[0-20]53ab4151086c371e[0-20]99eb8edf4c774827[0-20]a8489be1b5bcb034[0-20]635ac9c5b30c1c39[0-20]cb8a41e34aaad84e[0-20]73e363774fca9c5b[0-20]a3b8b2d6f36f2e68[0-20]fcb2ef5dee828f74[0-20]602f17436f63a578[0-20]72abf0a11478c884[0-20]ec39641a0802c78c[0-20]281e6323faffbe90[0-20]e9bd82deeb6c50a4[0-20]1579c6b2f7a3f9be[0-20]2b5372e3f27871c6[0-20]9c6126eace3e27ca[0-20]07c2c021c7b886d1[0-20]1eebe0cdd67ddaea[0-20]78d16eee7f4f7df5[0-20]ba6f1772aa67f006[0-20]a698c8a2c57d630a[0-20]ae0df9be04983f11[0-20]1b471c13350b711b[0-20]847d0423f577db28[0-20]9324c7407babca32[0-20]bcbec9150abe9e3c[0-20]4c0d109cc4671d43[0-20]b6423ecbbed4c54c[0-20]2a7e65fc9c297f59[0-20]ecfad63aab6fcb5f[0-20]1758474a8c19446c }
+		$a0 = { 08c9bcf367e6096a[0-20]3ba7ca8485ae67bb[0-20]2bf894fe72f36e3c[0-20]f1361d5f3af54fa5[0-20]d182e6ad7f520e51[0-20]1f6c3e2b8c68059b[0-20]6bbd41fbabd9831f[0-20]79217e1319cde05b }
 	condition:
 		$a0
 }