Get Master YARA file
The publications/get_master_yara
endpoint is used to display a Master YARA file. Results are provided in base64 gzip format, and must be decoded.
Request
Request method: POST
Endpoint: https://tip.kaspersky.com/api/publications/get_master_yara
Query parameters:
Expected parameters
Parameter
|
Description
|
report_group
|
Report group. Required parameter.
Available values:
fin —Master file will contain information only from Crimeware Threat Intelligence reports.
apt —Master file will contain information only from APT Intelligence reports.
|
Request example:
Request a Master YARA file for APT Intelligence reports:
curl -u <user_name> -H 'Content-Length: 0' --cert <full path to the certificate CERT_NAME.pem on your computer> -X POST 'https://tip.kaspersky.com/api/publications/get_master_yara?report_group=apt'
|
Responses
Click the links below for information about possible responses.
Expand all | Collapse all
200 OK
Request processed successfully.
The endpoint returns a report that includes all available reports at Kaspersky Threat Intelligence Portal in YARA Rules format.
For more information on YARA Rules, see https://yara.readthedocs.io
See result example
import "math"
import "pe"
rule apt_ZZ_Ismdoor_crypto {
meta:
author = "Kaspersky Lab"
copyright = "Kaspersky Lab"
date = "22-2-2017"
report = "Ismdoor - possible Shamoon attack vector found in Saudi Arabia"
reference = "https://apt.threatintel.kaspersky.com/download.php?doc=intelcustomers/2017_02_Ismdoor-possibleShamoonattackvectorfoundinSaudiArabia/Ismdoor%20-%20possible%20Shamoon%20attack%20vector%20found%20in%20Saudi%20Arabia.pdf"
strings:
$a1 = { A7 00 [2-10] D4 00 [2-10] D0 00 [2-10] D2 00 [2-10] D8 00 [2-10] A5 00 [2-10] B6 00 [2-10] 26 01 [2-10] 94 01 [2-10] 82 01 [2-10] 90 01 [2-10] 87 01 [2-10] 4E 02 [2-10] A5 02}
condition:
uint16(0) == 0x5A4D and
all of them
}
...more rules
401 Unauthorized
Request not processed: user authentication failed.
Make sure you enter the correct credentials, and then try to run the query again. If the problem recurs, please contact your dedicated Kaspersky Technical Account Manager.
403 Forbidden
Request not processed: running requests by using an API token is forbidden for this service.
You can use an API token only for running Threat Lookup API requests.
For other Kaspersky Threat Intelligence Portal services, a certificate is required, an API token usage is not available.
451 Unavailable For Legal Reasons
Page top