100 Days of YARA – Day 9: Berkeley Sockets

This will detect a lot of software that utilizes the network in some way or another using the Berkeley Sockets API.

Programs using this API should have at least a call to socket and at least two of the additional functions listed within this rule.

This should work on PE, ELF, and Mach-O files as well as some scripting languages.

rule sockets
{
	meta:
		description = "Berkeley Sockets API"
		reference = "https://en.wikipedia.org/wiki/Berkeley_sockets"
		author = "Daniel Roberson"

	strings:
		$socket = "socket" fullword
		$ = "accept" fullword
		$ = "bind" fullword
		$ = "getsockname" fullword
		$ = "listen" fullword
		$ = "close" fullword

	condition:
		$socket and 2 of them
}

YARA Rules Index

2 thoughts on “100 Days of YARA – Day 9: Berkeley Sockets

  1. Pingback: YARA Rules Index – DMFR SECURITY

  2. Pingback: Week 01 – 2022 – This Week In 4n6

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s