Extending yara, clamav and zeek with instant holloman fingerprints

This project started out as an attempt to see the capabilities of AI from a conversation at the W durring RSAC-2026. A few friends had pointed out that AI could implement 90% of the products on the show floor.

5th order hilbert plot of prime numbers

The concept began with identifing a single opensource project that almost all the companies used in some form. YARA is one of the most embeded tool in the security industry for static analysis. It is backed into most endpoint protection tools.

tldr; the project failed, so I did something different. I began to look for ways to reduce friction in a way that reduces the entropy in cyber security. Friction causes loss, lets lose less.

My first attempt was to take the yara-x code base and rewrite it in go. It took about 3 months of casual vibe coding to understand AI didn’t have the ability to write preformant code in C or go that could beat eather implementation of yara. At this point I pivoted to another idea I had along the way.

Could AI write a module for yara-x in rust, a language I’ve never attempted to learn. If AI could connect some SIMD assembly I’d been using for a decade I’d be able to run this on modern CPUs and reduce the cyber OODA-Loop by a few magnitudes.

In about a months time I was able to get Holloman signatures running in yara-x, clamav, and zeek. Each of these tools use a different kind and format of signatures. Today I’m able to write about 75K signatures for the top three tools on a couple 1u boxes.

I used AI for the integration across 6 languages (c, c++, SIMD x86_64, go, rust and python) and it worked well. I’m sure there are some bugs and mistakes, but I would enjoy your feedback. To help with testing I’ve produced 30 days of Holloman signature data covering about 650K signatures matching some 40K variants for each tool.

The reason I’m calling it instant is because the fingerprints are mathmaticly generated and its very fast (low friction) to calculate for both matching and rule writing. The fingerprints were calculated using a corpus of 8 million files collected over June 2026. I’ve worked on this project for a decade as a solo founder, this was one months of work after learning how to work with AI.

A paper on the Zeek and ClamAV Integration

Zeek Holloman3

ClamAV Holloman3

A Module for Yara-X and Holloman3

Holloman3 crate

Signature Feeds for Yara-X, ClamAV and Zeek



Categories: Cyberr, Icewater

Discover more from Cyber Warhead

Subscribe now to keep reading and get access to the full archive.

Continue reading