fkie-cad · jstucke · Apr 17, 2025 · Apr 22, 2025
diff --git a/src/plugins/analysis/software_components/signatures/00_meta_filter.yara b/src/plugins/analysis/software_components/signatures/00_meta_filter.yara
@@ -2,11 +2,11 @@ import "magic"
 
 private rule no_text_file
 {
-	meta:
-		software_name = "magic"
-		open_source = true
-		website = "https://www.fkie.fraunhofer.de/"
-		description = "no text_file_rule"
-	condition:
-		(magic.mime_type() != "text/plain" and magic.mime_type() != "text/html") or test_flag
+    meta:
+        software_name = "magic"
+        open_source = true
+        website = "https://www.fkie.fraunhofer.de/"
+        description = "no text_file_rule"
+    condition:
+        (magic.mime_type() != "text/plain" and magic.mime_type() != "text/html") or test_flag
 }
diff --git a/src/plugins/analysis/software_components/signatures/bootloader.yara b/src/plugins/analysis/software_components/signatures/bootloader.yara
@@ -1,10 +1,10 @@
 rule UBoot
 {
-	meta:
-		software_name = "U-Boot"
-		open_source = true
-		website = "http://www.denx.de/wiki/U-Boot"
-		description = "The Universal Boot Loader"
+    meta:
+        software_name = "U-Boot"
+        open_source = true
+        website = "http://www.denx.de/wiki/U-Boot"
+        description = "The Universal Boot Loader"
     strings:
         $a = /U-Boot \d+\.\d+\.\d+/ nocase ascii wide
     condition:

diff --git a/src/plugins/analysis/software_components/signatures/crypto.yara b/src/plugins/analysis/software_components/signatures/crypto.yara
@@ -1,11 +1,56 @@
+rule CryptoPP {
+    meta:
+        software_name = "Crypto++"
+        open_source = true
+        website = "https://www.cryptopp.com/"
+        description ="Free C++ library for cryptographic schemes library"
+    strings:
+        $a = "this object doesn't support resynchronization"
+        $b = "Clone() is not implemented yet."
+        $c = "CryptoMaterial: this object does not support precomputation"
+        $d = "BufferedTransformation: this object doesn't allow input"
+        $e = "StreamTransformation: this object doesn't support random access"
+        $f = "BaseN_Encoder: Log2Base must be between 1 and 7 inclusive"
+        $g = "RandomNumberGenerator: IncorporateEntropy not implemented"
+        $h = "block size of underlying block cipher is not 16"
+        $i = "DigestSize must be 4, 6, 8, 10, 12, 14, or 16"
+    condition:
+        3 of them
+}
+
+rule LibreSSL {
+    meta:
+        software_name = "LibreSSL"
+        open_source = true
+        website = "https://www.libressl.org/"
+        description ="LibreSSL is a version of the TLS/crypto stack forked from OpenSSL in 2014"
+    strings:
+        $a = /LibreSSL \d\.\d{1,2}\.\d{1,2}/
+    condition:
+        $a and no_text_file
+}
+
+rule Mbed_TLS {
+    meta:
+        software_name = "Mbed TLS"
+        open_source = true
+        website = "https://www.trustedfirmware.org/projects/mbed-tls/"
+        description ="C library implementing cryptographic primitives and protocols (formerly known as PolarSSL)"
+    strings:
+        // fixme: it is possible to build a smaller variant of the library without this string
+        $a = /([Mm]bed TLS|PolarSSL) \d\.\d{1,2}\.\d{1,2}/
+    condition:
+        $a and no_text_file
+}
+
 rule OpenSSL
 {
-	meta:
-		software_name = "OpenSSL"
-		open_source = true
-		website = "https://www.openssl.org"
-		description ="SSL library"
-		version_regex = "\\d\\.\\d\\.\\d[a-z]{0,2}"
+    meta:
+        software_name = "OpenSSL"
+        open_source = true
+        website = "https://www.openssl.org"
+        description ="SSL library"
+        version_regex = "\\d\\.\\d\\.\\d[a-z]{0,2}"
     strings:
         $a = /OpenSSL( \d+\.\d+\.\d+[a-z]?)?/ nocase ascii wide
     condition:
@@ -14,14 +59,31 @@ rule OpenSSL
 
 rule SSLeay
 {
-	meta:
-		software_name = "SSLeay"
-		open_source = true
-		website = "https://en.wikipedia.org/wiki/SSLeay"
-		description ="SSL library"
+    meta:
+        software_name = "SSLeay"
+        open_source = true
+        website = "https://en.wikipedia.org/wiki/SSLeay"
+        description = "SSL library"
     strings:
         $a = /SSLeay \d+\.\d+\.\d+[a-z]?/ nocase ascii wide
     condition:
         $a and no_text_file
 }
 
+rule wolfSSL {
+    meta:
+        software_name = "wolfSSL"
+        open_source = true
+        website = "https://www.wolfssl.com/"
+        description ="Embedded SSL/TLS Library (formerly CyaSSL)"
+        _version_function = "wolfSSL_lib_version"
+    strings:
+        // the function which yields the version as string (available since version 3.6.0)
+        $a = "wolfSSL_lib_version"
+        // error strings (should be in all versions)
+        $b = "handshake layer not ready yet, complete first"
+        $c = "non-blocking socket wants data to be read"
+        $d = "error during rsa priv op"
+    condition:
+        $a or ($b and $c and $d) and no_text_file
+}
diff --git a/src/plugins/analysis/software_components/signatures/database.yara b/src/plugins/analysis/software_components/signatures/database.yara
@@ -1,16 +1,29 @@
  rule sqlite3
 {
-	meta:
-		software_name = "SQLite"
-		open_source = true
-		website = "https://sqlite.org/index.html"
-		description = "a small fast SQL database engine"
-		format_string = true
-		version_regex = "\\d\\.\\d+\\.\\d+\\.?\\d?"
-	strings:
-		$a = "SQLite version %s" ascii
-		$b = /SQLite version \d\.\d+\.\d+(\.\d)?/ ascii
-		$c = /libsqlite3\-\d\.\d+\.\d+(\.\d)?\.so/ ascii
-	condition:
-		($a or $b or $c) and no_text_file
+    meta:
+        software_name = "SQLite"
+        open_source = true
+        website = "https://sqlite.org/index.html"
+        description = "a small fast SQL database engine"
+        format_string = true
+        version_regex = "\\d\\.\\d+\\.\\d+\\.?\\d?"
+    strings:
+        $a = "SQLite version %s" ascii
+        $b = /SQLite version \d\.\d+\.\d+(\.\d)?/ ascii
+        $c = /libsqlite3\-\d\.\d+\.\d+(\.\d)?\.so/ ascii
+    condition:
+        ($a or $b or $c) and no_text_file
+}
+
+rule postgres {
+    meta:
+        software_name = "PostgreSQL"
+        open_source = true
+        website = "https://www.postgresql.org/"
+        description = "a powerful object-relational database system"
+    strings:
+        $a = /\(PostgreSQL\) \d{1,2}\.\d{1,2}\.?\d{0,2}[a-z]{0,5}/
+        $b = /PostgreSQL \d{1,2}\.\d{1,2}\.?\d{0,2}[a-z]{0,5} on [^ ,]+/
+    condition:
+        ($a or $b) and no_text_file
 }
diff --git a/src/plugins/analysis/software_components/signatures/http_server.yara b/src/plugins/analysis/software_components/signatures/http_server.yara
@@ -1,65 +1,65 @@
 rule lighttpd {
-	meta:
-		software_name = "lighttpd"
-		open_source = true
-		website = "https://www.lighttpd.net/"
-		description = "Lighttpd is a web-server optimized for low memory and cpu usage."
-	strings:
-		$a = /lighttpd[-\/]\d+\.\d+\.\d+/ ascii
-	condition:
-		$a and no_text_file
+    meta:
+        software_name = "lighttpd"
+        open_source = true
+        website = "https://www.lighttpd.net/"
+        description = "Lighttpd is a web-server optimized for low memory and cpu usage."
+    strings:
+        $a = /lighttpd[-\/]\d+\.\d+\.\d+/ ascii
+    condition:
+        $a and no_text_file
 }
 
 rule GoAhead
 {
-	meta:
-		software_name = "GoAhead"
-		open_source = true
-		website = "http://embedthis.com/goahead/"
-		description = "Web-Server"
-	strings:
-		$a = /GoAhead-Webs/ nocase ascii wide
-	condition:
-		$a and no_text_file
+    meta:
+        software_name = "GoAhead"
+        open_source = true
+        website = "http://embedthis.com/goahead/"
+        description = "Web-Server"
+    strings:
+        $a = /GoAhead-Webs/ nocase ascii wide
+    condition:
+        $a and no_text_file
 }
 
 rule mini_httpd
 {
-	meta:
-		software_name = "mini_httpd"
-		open_source = true
-		website = "https://acme.com"
-		description = "small HTTP server"
-	strings:
-		$a = /mini_httpd\/\d\.\d+ \d{2}[a-z]{3}\d{4}/ ascii wide
-	condition:
-		$a and no_text_file
+    meta:
+        software_name = "mini_httpd"
+        open_source = true
+        website = "https://acme.com"
+        description = "small HTTP server"
+    strings:
+        $a = /mini_httpd\/\d\.\d+ \d{2}[a-z]{3}\d{4}/ ascii wide
+    condition:
+        $a and no_text_file
 }
 
 rule nginx
 {
-	meta:
-		software_name = "nginx"
-		open_source = true
-		website = "https://www.nginx.com/"
-		description = "Web-Server"
-	strings:
-		$a = /nginx version: nginx\/\d+\.\d+\.\d+/ nocase ascii wide
-	condition:
-		$a and no_text_file
+    meta:
+        software_name = "nginx"
+        open_source = true
+        website = "https://www.nginx.com/"
+        description = "Web-Server"
+    strings:
+        $a = /nginx version: nginx\/\d+\.\d+\.\d+/ nocase ascii wide
+    condition:
+        $a and no_text_file
 }
 
 rule eCosWebServer
 {
-	meta:
-		software_name = "eCos Embedded Web Server"
-		open_source = true
-		website = "https://www.ecoscentric.com"
-		description = "Web-Server"
-		format_string = true
-	strings:
-		$a = "eCos Embedded Web Server" nocase ascii wide
-		$b = "Server: %s" nocase ascii wide
-	condition:
-		$a and $b and no_text_file
+    meta:
+        software_name = "eCos Embedded Web Server"
+        open_source = true
+        website = "https://www.ecoscentric.com"
+        description = "Web-Server"
+        format_string = true
+    strings:
+        $a = "eCos Embedded Web Server" nocase ascii wide
+        $b = "Server: %s" nocase ascii wide
+    condition:
+        $a and $b and no_text_file
 }
diff --git a/src/plugins/analysis/software_components/signatures/kernel_modules.yara b/src/plugins/analysis/software_components/signatures/kernel_modules.yara
@@ -1,10 +1,10 @@
 rule NetUSB
 {
-	meta:
-		software_name = "KCodes NetUSB"
-		open_source = false
-		website = "https://www.kcodes.com"
-		description = "Kernel module for USB over IP"
+    meta:
+        software_name = "KCodes NetUSB"
+        open_source = false
+        website = "https://www.kcodes.com"
+        description = "Kernel module for USB over IP"
     strings:
         $a = "KC NetUSB General Driver"
         $b = "NetUSB module for Linux"