rule derusbi_kernel
{
    meta:
        description = "Derusbi Driver version"
        date = "2015-12-09"
        author = "Airbus Defence and Space Cybersecurity CSIRT - Fabien Perigaud"
    strings:
	$token1 = "$$$--Hello"     
	$token2 = "Wrod--$$$"   
	$cfg = "XXXXXXXXXXXXXXX"
	$class = ".?AVPCC_BASEMOD@@"
	$MZ = "MZ"

    condition:
        $MZ at 0 and $token1 and $token2 and $cfg and $class
}

rule derusbi_linux
{
    meta:
        description = "Derusbi Server Linux version"
        date = "2015-12-09"
        author = "Airbus Defence and Space Cybersecurity CSIRT - Fabien Perigaud"
    strings:
	$PS1 = "PS1=RK# \\u@\\h:\\w \\$"
	$cmd = "unset LS_OPTIONS;uname -a"
	$pname = "[diskio]"
	$rkfile = "/tmp/.secure"
	$ELF = "\x7fELF"

    condition:
        $ELF at 0 and $PS1 and $cmd and $pname and $rkfile
}