Skip to content

Valhalla#

README

Valhalla#

The Valhalla analyzer queries the Valhalla YARA rule databased and retrieves the matching YARA rules.

Requirements#

Scope#

The result contains all matching YARA rules including

The result does not contain matches with YARA rules

  • submitted by 3rd parties into the public rule repository due to legal restrictions
  • rules that are tagged as confidential and can therefore only be used in Nextron's scanner THOR
  • rules that require external variables and can therefore only be used in Nextron's scanner THOR

The database contains YARA rule matches on samples submitted to Virustotal and Nextron's internal sample matching, which accounts for less than 1% of the matches within that database. The database does not contain information on samples that have not been transmitted to Virustotal.

Matches#

The matches in the long report link to rule info pages that contain more information, like other matching samples, a report or public source in which the sample from which that rule was derived has been mentioned.

They also include the Antivirus detection rate at the moment of the first submission to Virustotal, which gives a good indication of the overall coverage.

Valhalla_GetRuleMatches#

Author: Florian Roth
License: AGPL-V3
Version: 0.3.1
Supported observables types:
- hash
Registration required: False
Subscription required: False
Free subscription: False
Third party service: https://valhalla.nextron-systems.com

Description#

Gets matching YARA rules for a given sample SHA256 hash

Configuration#

key API key for Valhalla
Default value if not configured 1111111111111111111111111111111111111111111111111111111111111111
Type of the configuration item string
The configuration item can contain multiple values False
Is required True

Templates samples for TheHive#

Valhalla Get Hashes short report sample

screenshot


Last update: November 15, 2021 06:39:13