Category Archives: learn

DFIR 012 – Clam AV rules to Yara

This post was inspired while I was playing around with the new SIFT workstation, and I needed to get my tools and scripts on the VM. A couple of team members saw what I was doing, and did not know this was possible so I figured I would write up a quick post on how to convert your Clam AV database to a set of Yara rules that you can use during your investigations.

You can get the Python script here

# for Clam AV
# should be installed, but this is to verify
sudo apt-get install clamav clamav-freshclam
sudo freshclam

# for Yara
sudo apt-get install libpcre3 libpcre3-dev
sudo apt-get install yara


sigtool –u /var/lib/clamav/main.cvd
python clamav_to_yara.py -f main.ndb -o clamav.yara

There is one rule I had to manually clean up though…….

vim +199819 clamav.yara

Once that is done, you can use this file anywhere you would use your yara rule.

Pretty cool!

offsec training post 1

So this past weekend I started the Offensive Security Training course, Penetration Testing with Kali Linux, and so far so good. The course material was downloaded without any issues, but the VM took a little bit. I was able to get everything that first night though, and tested my connection to the lab environment, which worked without a single issue. Yeah!

PWK by OCSP
Pentesting with Kali

The material is well done. Easy to follow,  and understand. I have gone through the first third so far at least once, a good chunk of it twice, and a some sections many more times. I have been taking notes as i go through material, so I can have steps and testing ideas handy when I hit the lab. This leads me to go back and repeat things, once or twice.

You might be able to tell that I have not been able to tackle anything in the lab just yet, other than testing my connection. I wanted to go through a good portion of the material first, and “sharpen my axe” so to speak. I did spend a large chunk of time with the external OSINT. I wanted to gather as much as I could externally, before getting started internally. This gave me some possible information I might be able to use in the lab environment. Maybe giving me some ideas of where I should first swing at the tree.

Their was a good portion of this weekend spent playing puzzles, or cars, or something with my daughter as well. Plus, chores, like laundry, shopping, and what not. I have the week off from work to really dig into the materials starting this morning, so we will see if I can pick up the pace a little. (I already this morning do not see much success with this, as my chat client is already exploding. Honestly had forgotten to turn it off. crap) Anyway,

Let me tackle that, and Get started on my course again!