-
Notifications
You must be signed in to change notification settings - Fork 6
/
b64_url.yar
26 lines (21 loc) · 826 Bytes
/
b64_url.yar
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
rule b64_url
{
meta:
author = "@KevTheHermit"
info = "Part of PasteHunter"
reference = "https://github.com/kevthehermit/PasteHunter"
strings:
$a1 = "aHR0cDov" // http/s
$a2 = "SFRUUDov" // HTTP/S
$a3 = "d3d3Lg" // www.
$a4 = "V1dXLg" // WWW.
// ignore vendor certs in this rule. The certs rule will pick them up if we want them
$not1 = "GlobalSign Root CA" nocase
// Ignore data: uris. These are common in html, css, and svg files.
$not2 = /data:[a-z0-9\/]+;(base64,)?aHR0cDov/ nocase
$not3 = /data:[a-z0-9\/]+;(base64,)?SFRUUDov/ nocase
$not4 = /data:[a-z0-9\/]+;(base64,)?d3d3Lg/ nocase
$not5 = /data:[a-z0-9\/]+;(base64,)?V1dXLg/ nocase
condition:
any of ($a*) and not any of ($not*)
}