timb-machine · March 1, 2021 18:13
diff --git a/enterpriseunix2.yara b/enterpriseunix2.yara
 import "elf"

 rule enterpriseunix2 {
  meta:
    author = "Tim Brown @timb_machine"
    description = "Enterprise UNIX"
  strings:
    $aix = "aix" nocase
    $solaris = "solaris" nocase
    $hpux = "hpux" nocase
    $libca = "libc.a"
    $text = ".text"
    $data = ".data"
  condition:
    ($aix or $solaris or $hpux) and ((elf.number_of_sections >= 1) or ($libca and $text and $data))
 }
	import "elf"

	rule enterpriseunix2 {
	meta:
	author = "Tim Brown @timb_machine"
	description = "Enterprise UNIX"
	strings:
	$aix = "aix" nocase
	$solaris = "solaris" nocase
	$hpux = "hpux" nocase
	$libca = "libc.a"
	$text = ".text"
	$data = ".data"
	condition:
	($aix or $solaris or $hpux) and ((elf.number_of_sections >= 1) or ($libca and $text and $data))
	}