Hello Commmmmunity,
I am attempting to implement the detection rule below in SecOps but keep getting an error message when I test or attempt to save the rule.
“parsing: error with token: ":" expected '=' between meta assignment key and value line: 11 column: 12-13”
rule MAL_Dropper_NetSupportRAT {
meta:
author = "Sam"
description = "Detects a dropper that delivers a decoy ChaGPT Installer and NetSupport RAT"
hash = "d86f647f3dfa6a53de7b531cb590636331f83afcea60d4b3d44de5ea3b7d33af"
malware = "NetSupport"
malware_id = "TWOU5d"
category = "MALWARE"
strings:
//dropped files
$d1 = "ChatGPT Installer.exe"
$d2 = "setup.exe"
//netsupport strings
$n1 = "NetSupport" nocase
$n2 = "install_netsupport_manager_silently"
$n3 = " [removed by moderator] "
condition:
uint16(0) == 0x5A4D and
all of ($d*) and
2 of ($n*)
}
I’m getting similar error messages for rules that have “strings:” in them. What could be wrong?
