From 40ac7482b7d16742b9bb0d6643d93752d3751e61 Mon Sep 17 00:00:00 2001
From: junk <junk@noreply.localhost>
Date: Thu, 9 Jan 2025 17:02:12 -0500
Subject: [PATCH] Update apts/blacktech/apt_waterbear.md

---
 apts/blacktech/apt_waterbear.md | 37 +++++++++++++++++++++++++++------
 1 file changed, 31 insertions(+), 6 deletions(-)

diff --git a/apts/blacktech/apt_waterbear.md b/apts/blacktech/apt_waterbear.md
index 20fea4c..6c6f501 100644
--- a/apts/blacktech/apt_waterbear.md
+++ b/apts/blacktech/apt_waterbear.md
@@ -7,7 +7,7 @@
 */
 
 /* Rule Set ----------------------------------------------------------------- */
-
+```
 rule Waterbear_1_Jun17 {
    meta:
       description = "Detects malware from Operation Waterbear"
@@ -23,7 +23,8 @@ rule Waterbear_1_Jun17 {
    condition:
       ( uint16(0) == 0x5a4d and filesize < 100KB and all of them )
 }
-
+```
+```
 rule Waterbear_2_Jun17 {
    meta:
       description = "Detects malware from Operation Waterbear"
@@ -41,7 +42,9 @@ rule Waterbear_2_Jun17 {
    condition:
       ( uint16(0) == 0x5a4d and filesize < 1000KB and all of them )
 }
+```
 
+```
 rule Waterbear_4_Jun17 {
    meta:
       description = "Detects malware from Operation Waterbear"
@@ -66,7 +69,9 @@ rule Waterbear_4_Jun17 {
    condition:
       ( uint16(0) == 0x5a4d and filesize < 300KB and 3 of them )
 }
+```
 
+```
 rule Waterbear_5_Jun17 {
    meta:
       description = "Detects malware from Operation Waterbear"
@@ -88,7 +93,9 @@ rule Waterbear_5_Jun17 {
    condition:
       ( uint16(0) == 0x3d53 and filesize < 100KB and ( all of ($a*) or 3 of them ) )
 }
+```
 
+```
 rule Waterbear_6_Jun17 {
    meta:
       description = "Detects malware from Operation Waterbear"
@@ -104,7 +111,10 @@ rule Waterbear_6_Jun17 {
    condition:
       ( uint16(0) == 0x5a4d and filesize < 60KB and all of them )
 }
+```
 
+
+```
 rule Waterbear_7_Jun17 {
    meta:
       description = "Detects malware from Operation Waterbear"
@@ -123,7 +133,10 @@ rule Waterbear_7_Jun17 {
    condition:
       ( uint16(0) == 0x5a4d and filesize < 80KB and all of them )
 }
+```
 
+
+```
 rule Waterbear_8_Jun17 {
    meta:
       description = "Detects malware from Operation Waterbear"
@@ -143,7 +156,10 @@ rule Waterbear_8_Jun17 {
    condition:
       ( uint16(0) == 0x5a4d and filesize < 40KB and all of them )
 }
+```
 
+
+```
 rule Waterbear_9_Jun17 {
    meta:
       description = "Detects malware from Operation Waterbear"
@@ -164,7 +180,9 @@ rule Waterbear_9_Jun17 {
    condition:
       uint16(0) == 0x5a4d and filesize < 30KB and all of ($s*) and ( $a1 or all of ($b*) )
 }
+```
 
+```
 rule Waterbear_10_Jun17 {
    meta:
       description = "Detects malware from Operation Waterbear"
@@ -180,8 +198,8 @@ rule Waterbear_10_Jun17 {
    condition:
       ( uint16(0) == 0x5a4d and filesize < 30KB and all of them )
 }
-
-
+```
+```
 rule Waterbear_11_Jun17 {
    meta:
       description = "Detects malware from Operation Waterbear"
@@ -199,7 +217,10 @@ rule Waterbear_11_Jun17 {
    condition:
       ( uint16(0) == 0x5a4d and filesize < 1000KB and all of them )
 }
+```
 
+
+```
 rule Waterbear_12_Jun17 {
    meta:
       description = "Detects malware from Operation Waterbear"
@@ -215,7 +236,9 @@ rule Waterbear_12_Jun17 {
    condition:
       ( uint16(0) == 0x5a4d and filesize < 2000KB and all of them )
 }
+```
 
+```
 rule Waterbear_13_Jun17 {
    meta:
       description = "Detects malware from Operation Waterbear"
@@ -241,7 +264,8 @@ rule Waterbear_13_Jun17 {
    condition:
       ( uint16(0) == 0x5a4d and filesize < 300KB and 4 of them )
 }
-
+```
+```
 rule Waterbear_14_Jun17 {
    meta:
       description = "Detects malware from Operation Waterbear"
@@ -258,4 +282,5 @@ rule Waterbear_14_Jun17 {
       $s2 = "C:\\recycled" fullword ascii
    condition:
       ( uint16(0) == 0x5a4d and filesize < 8000KB and all of them )
-}
\ No newline at end of file
+}
+```
\ No newline at end of file