leogasparini/detection-rules

GitHub: leogasparini/detection-rules

基于威胁情报与事件响应经验构建的 YARA 和 Sigma 检测规则集合，提供经过测试验证、附带 MITRE ATT&CK 映射的开箱即用安全检测内容。

Stars: 0 | Forks: 0

# 检测规则 [![测试 YARA 规则](https://static.pigsec.cn/wp-content/uploads/repos/2026/06/9f8d7dc46f225029.svg)](https://github.com/leogasparini/detection-rules/actions/workflows/test-yara.yml) [![测试 Sigma 规则](https://static.pigsec.cn/wp-content/uploads/repos/2026/06/1cae965d14225034.svg)](https://github.com/leogasparini/detection-rules/actions/workflows/test-sigma.yml) 基于威胁情报和事件响应生成的 [YARA](https://virustotal.github.io/yara/) 和 [Sigma](https://sigmahq.io/) 检测规则。 ## 结构 ``` rules/ yara/ — File-based detection rules sigma/ — Log-based detection rules (one rule per file) file_event/ process_creation/ network_connection/ dns_query/ tests/ true_positives/ — Samples that MUST trigger YARA rules true_negatives/ — Samples that MUST NOT trigger YARA rules expected/ — Per-sample expected rule mappings docs/ — Incident references ``` ## 用法 ### YARA ``` yara rules/yara/.yar /path/to/scan -r ``` ### Sigma 转换为 CrowdStrike LogScale： ``` python scripts/02_convert_sigma_rule_simple.py rules/sigma//.yml ``` ## 规则标准 - 每条规则均包含 [MITRE ATT&CK](https://attack.mitre.org/) 映射 - 适用时提供 CVE 参考 - 每个 Sigma 文件仅包含一条规则，不使用多文档 YAML - YARA 规则必须包含 `meta.description` 和 `meta.author` - Sigma 规则遵循 [SigmaHQ 规范](https://github.com/SigmaHQ/sigma-specification/blob/main/sigmahq/sigmahq-rule-convention.md) ## 本地测试 ### YARA 需要安装 [YARA](https://virustotal.github.io/yara/)（`brew install yara` / `apt install yara`）。 ``` # 编译检查 yara rules/yara/mini_shai_hulud.yar /dev/null # True positives (期望匹配) yara rules/yara/mini_shai_hulud.yar tests/true_positives/ -r # True negatives (期望不匹配) yara rules/yara/mini_shai_hulud.yar tests/true_negatives/ -r ``` ### Sigma 需要 [sigma-cli](https://github.com/SigmaHQ/sigma-cli)。 ``` pip install sigma-cli pySigma-validators-sigmaHQ sigma check rules/sigma/ -r ```

标签：AMSI绕过, Reconnaissance, YARA, 云资产可视化, 威胁情报, 威胁检测, 安全, 开发者工具, 超时处理, 逆向工具