I am trying to create a Yara rule using the ssdeep fuzzy hashing technique, I understand that my Yara rule should look like this:
import "hash"
rule SuspiciousSSDeep {
meta:
description = "Detects suspicious files based on ssdeep fuzzy hashing"
strings:
$ssdeep_hash = "ssdeep:"
condition:
hash.ssdeep(0, filesize) == $ssdeep_hash
}
but when I launch may Yara rule I am getting an error "invalid field name "ssdeep""
I am using Yara 4.5 and my yara installation seems to support the hash module because when I launch this command, it is indicated as the module presents with the installation:
import "hash"
rule SuspiciousSSDeep {
meta:
description = "Detects suspicious files based on ssdeep fuzzy hashing"
strings:
$ssdeep_hash = "ssdeep:"
condition:
hash.ssdeep(0, filesize) == $ssdeep_hash
}
Would you know why ssdeep is not recognized as part of the hash module ? it is true that ssdeep is not indicated in the Yara documentation https://yara.readthedocs.io/en/v3.4.0/modules/hash.html so maybe this information is wrong.
Would someone know how to use ssdeep fuzzy hashing in a Yara rule ?
I tried to find another way to implement ssdeep in a Yara rule but I couldn't find it...