Along with cryptocurrency addresses, Tor Hidden Service descriptors (.onion URLs) are weird enough that their presence in a file often points to interesting things.
Like my cryptocurrency address rules, this relies on regular expression matching and so may result in significant performance hits.
rule TTP_contains_onion_address {
meta:
description = "Matches regex for .onion addresses associated with Tor Hidden Services."
last_modified = "2024-01-11"
author = "@petermstewart"
DaysofYara = "11/100"
strings:
$r1 = /[a-z2-7]{16}\.onion/ fullword ascii wide
$r2 = /[a-z2-7]{55}d\.onion/ fullword ascii wide
condition:
filesize < 5MB and
any of them
}
Find the rest of my 100DaysofYARA posts here, and the rules themselves on my Github repository.
Cyber Poking 