Supercharge Your DetectionValhalla boosts your detection capabilities with the power of thousands of hand-crafted high-quality YARA rules.

Our team curates more than 8000 quality tested YARA rules in 6 differentcategories: APT, Hack Tools, Malware, Web Shells, Threat Hunting and Exploits.Valhalla's database grows by 1500 YARA rules per year.

With access to Valhalla, you can supercharge your detection by adding most of ourhighly successful THOR scanners' signatures to your own scan engines.

All rules are performance optimised and quality tested against Terabytes ofgoodware and other data.

Rich Meta DataValhalla provides rich meta data that adds valuable context to each match, such asa web reference, related threat group campaigns, hashes of samples for which therule was initially created and a list of public samples on which the rule hasmatched so far.

Each rule containsinformation about therequired YARA versionand modules to run thatrule.

The API client allows youto retrieve only thoserules that your productsupports.

The rule’s score and tagsindicate its reliability andscope. Both can be usedto select the perfect ruleset for your application.

Smart APIThe Python API allows you download the subscribed categories as text or JSONobject. It even has presets for well-known products that support YARA scanninglike FireEye’s appliances, Tenable, Tanium, CarbonBlack or Symantec MAA. Itrequires no more than 3 lines of code to retrieve the subscribed YARA rule set.

Strengths of the Set

Meta Data is Key

Huge CuratedRule Set

Flexible API

Quality Tested

Web SiteThe website https://valhalla.nextron-systems.comallows you to immediately retrieve your subscribedrules using nothing but a web browser.

Just insert your API key and click on “Get Rules”.

You can also select the “JSON” checkbox to get themin JSON format or select “DEMO” to test drive thisfeature with a demo API key, which allows you toretrieve all public YARA rules in the selected format.

The website also contains statistics about the currentrule set.

Command Line ClientThe comfortable command line client‘valhalla-cli’ helps to integrate the ruleretrieval into your deployment process.

It’s really as simple as it gets.

It can be installed running the followingcommand:

pip3 install valhallaAPI

The next command retrieves allsubscribed rules:

valhalla-cli -k APIKEY

The command line client supportsproxy servers and allows you to applynumerous filters, e.g.

▪ Exclude rules with low scores(e.g. threat hunting rules withscores lower than 75)

▪ Exclude rules that wouldn’t workon your scan engine (e.g.“Tanium”)

▪ Retrieve only rules with certaintags(e.g. “CHINA”, “APT”)

IntegrationThe web API allows you to retrieve theperfect set that integrates seamlesslywith the platform that you use forYARA scanning.

Depending on your use case, werecommend subscriptions fordifferent rule categories.

CurationWe improve between 300 and 500 oldrules per year. These improvementsinclude false positive reductions andthe tightening or extension of existingrules.

SuperchargeUse Cases

Hacktools

This category contains allkinds of tools used forhacking purposes and likeport scanners, passworddumpers, privilege escalation,lateral movement or tunnelingtools.

APT

It contains all kinds ofhacktools or malware relatedto threat actor activity. Ruleswith this tag often havereferences to certain threatactor reports.

Webshells

This category contains webshells written in PHP, JSP(X),ASP(X) that attackers drop onweb servers to persist andpivot to other systems in thenetwork. It also has manyrules for obfuscated webshells.

Threat Hunting

The threat hunting categorycontains the mostextraordinary set of rules foranomaly, obfuscation andsuspicious indicatordetection.

Malware

This category contains alltypes of commodity malware,credential stealer, worms,ransomware, cryptocoin minerand all other types of commonmalware.

Exploits

This category contains rulesthat detect exploit codes,weaponized documents andtools to exploit local as wellas remote exploits.

CategoriesValhalla’s ruleset is dividedinto 6 categoriesbased on tagsthat overlap

Special StrengthsAPT

▪ High grade rules for malware andtools used by threat groups

▪ Based on public reports, our ownundisclosed threat intel work,threat intel partners, threatexchanges and active incidentresponse cases (mainly Europe,Asia and the Middle East)

Threat Hunting

▪ Generic rules / heuristicdetection methods focus onmethods and obfuscationinstead of specific threats

▪ Highly effective in detecting new,yet unknown threats

Web Shells

▪ More than 1500 web shell rules

▪ Often very low Antivirusdetection ratio

▪ One of the things most EDRs areunable to detect

GrowthThe rule set grows by 1000 to 1500hand-written and quality tested rulesper year.

DeliveryYou can download the full subscribedset via web browser or use our publicAPI client written in Python to get acustomised rule set that fits your scanengine.

SubscriptionWe offer subscriptions for each of ourrule set categories or the wholecurated rule set.

Each subscription includesimprovements, fixes and updates onthe subscribed categories for 12months.

TrialWe cannot offer a trial of our rule set.

However, the public API allows you toretrieve and test a streamlined demorule set, which is an equivalent of thepublic signature-base that isintegrated in our free scanners LOKIand SPARK Core.