Skip to content

Commit

Permalink
Merge pull request Yara-Rules#374 from unamuno/patch-1
Browse files Browse the repository at this point in the history 
Add ipv6 support
  • Loading branch information
@Xumeiquer
Xumeiquer authored May 6, 2020
2 parents 2bb79cb + e121fff commit 11c76bf
Showing 1 changed file with 3 additions and 2 deletions.
5 changes: 3 additions & 2 deletions utils/ip.yar
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,8 @@ rule IP {
meta:
author = "Antonio S. <[email protected]>"
strings:
$ip = /([0-9]{1,3}\.){3}[0-9]{1,3}/ wide ascii
$ipv4 = /([0-9]{1,3}\.){3}[0-9]{1,3}/ wide ascii
$ipv6 = /(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))/ wide ascii
condition:
$ip
any of them
}

0 comments on commit 11c76bf

Please sign in to comment.