Merge pull request Yara-Rules#369 from sylvainpelissier/master

Add signature for some known elliptic curve orders
k0ko380 · Jan 27, 2020 · b5e782c · b5e782c
2 parents a7bcbb7 + f564205
commit b5e782c
Showing 1 changed file with 24 additions and 6 deletions.
diff --git a/crypto/crypto_signatures.yar b/crypto/crypto_signatures.yar
@@ -387,12 +387,12 @@ rule SHA2_BLAKE2_IVs {
 	strings:
 		$c0 = { 67 E6 09 6A }
 		$c1 = { 85 AE 67 BB }
-        $c2 = { 72 F3 6E 3C }
-        $c3 = { 3A F5 4F A5 }
-        $c4 = { 7F 52 0E 51 }
-        $c5 = { 8C 68 05 9B }
-        $c6 = { AB D9 83 1F }
-        $c7 = { 19 CD E0 5B }
+		$c2 = { 72 F3 6E 3C }
+		$c3 = { 3A F5 4F A5 }
+		$c4 = { 7F 52 0E 51 }
+		$c5 = { 8C 68 05 9B }
+		$c6 = { AB D9 83 1F }
+		$c7 = { 19 CD E0 5B }
 
 	condition:
 		all of them
@@ -1475,3 +1475,21 @@ rule Chacha_256_constant {
 	condition:
 		$c0
 }
+
+rule ecc_order {
+    meta:
+		author = "spelissier"
+		description = "Look for known Elliptic curve orders"
+		date = "2020-01"
+		version = "0.1"
+	strings:
+		$secp192k1 = { FF FF FF FF FF FF FF FF FF FF FF FE 26 F2 FC 17 0F 69 46 6A 74 DE FD 8D}
+		$secp192r1 = { FF FF FF FF FF FF FF FF FF FF FF FF 99 DE F8 36 14 6B C9 B1 B4 D2 28 31}
+		$secp224k1 = { 01 00 00 00 00 00 00 00 00 00 00 00 00 00 01 DC E8 D2 EC 61 84 CA F0 A9 71 76 9F B1 F7}
+		$secp224r1 = { FF FF FF FF FF FF FF FF FF FF FF FF FF FF 16 A2 E0 B8 F0 3E 13 DD 29 45 5C 5C 2A 3D}
+		$secp256k1 = { FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FE BA AE DC E6 AF 48 A0 3B BF D2 5E 8C D0 36 41 41 }
+		$prime256v1 = { FF FF FF FF 00 00 00 00 FF FF FF FF FF FF FF FF BC E6 FA AD A7 17 9E 84 F3 B9 CA C2 FC 63 25 51 }
+		$secp384r1 = { FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF C7 63 4D 81 F4 37 2D DF 58 1A 0D B2 48 B0 A7 7A EC EC 19 6A CC C5 29 73 }
+	condition:
+		any of them
+}