Detection Rules

WASMShark uses a custom rule language (.wsr files) for signature-based detection. Rules are evaluated against the analysis report and contribute to the final malice score.

Rule Format

rule RULE_NAME {
    meta:
        description = "Human readable description"
        author      = "WASMShark"
        severity    = CRITICAL
        tags        = mining, crypto, autorun
    condition:
        imports contains "sha256"
        has_start_func
        malice_score > 50
}

Severity Levels

Severity	Score	Meaning
CRITICAL	30	High-confidence malicious behavior
HIGH	15	Strong malicious indicator
MEDIUM	8	Suspicious behavior
LOW	3	Weak indicator

Available Conditions

Import conditions

imports contains "sha256"        # Import name matches pattern
import_count > 5                 # Total import count
is_wasi                          # Has WASI imports

String/IoC conditions

strings contains "stratum"       # String in data sections
ioc contains ".onion"            # IoC pattern match

Crypto conditions

crypto_constant "SHA-256 H0"     # Specific constant present

Score conditions

malice_score > 60
obfusc_score > 40
entropy > 7.0

Structural conditions

has_start_func                   # Auto-executing start section
has_taint                        # Taint flow detected
has_indirect_calls               # call_indirect present
has_custom_sections              # Non-standard sections
function_count > 20
xor_ops > 30

Rule Files

Total: 168 simple detection rules now (More Will be added in future)

Notable Rules

CRYPTOMINER_WASM

condition:
    imports contains "sha256"
    imports contains "randomx"
    ioc contains "http"

WASI_RANSOM_TRIAD

condition:
    is_wasi
    imports contains "path_rename"
    imports contains "random_get"
    imports contains "fd_write"

CONFIRMED_CRYPTOMINER (composite)

condition:
    crypto_constant "SHA-256 H0"
    imports contains "sha256"
    ioc contains "http"

EVASIVE_MALICIOUS (score-based)

condition:
    malice_score > 60
    obfusc_score > 60

Writing Custom Rules

Add your own .wsr file to the rules/ directory:

cat > rules/my_rules.wsr << 'EOF'
rule MY_CUSTOM_RULE {
    meta:
        description = "My custom detection rule"
        severity    = HIGH
        tags        = custom
    condition:
        imports contains "my_suspicious_import"
        malice_score > 30
}
EOF

python3 wasmshark.py sample.wasm --rules ./rules/

All .wsr files in the rules directory are automatically loaded.