Closed Neo23x0 closed 1 year ago
Hi @Neo23x0 :) Thanks for your feedback!
We will implement your recommendations.
We already have support for the reference, the source is meant to be a provider or a vendor. see all fields here we implement/validate here: https://github.com/CybercentreCanada/CCCS-Yara/blob/master/CCCS_YARA.yml
Cheers
Great, thanks
I wonder why you haven't looked a the thousands of published YARA rules before you've decided on the fields in your standard.
I recommend the following changes to align your specs with the best practices in the real world:
^ source could imply that the rule was copied from somewhere else, although most often it's derived from a sample or blog article.
what does first imported even mean? It implies that you "import" a YARA rule somewhere and limits the field to that use case.
The prefix
last_
is unnecessary.Recommended further fields currently missing:
^ indicating the minimal YARA version required to run the rule. This is very important since new modifiers, module features and keywords get added every few months. (e.g.
icontains
,xor
)e.g.
Furthermore, have you considered using the YARA tags instead of certain fields? For tags of all kinds, one could add a field
tags
and format it as a comma separated list.e.g.
Following your approach, e.g. with the fields
mitre_att
andsharing
, we would get an ever growing specification with many more fields. A field that lists all tags would be more ... practical IMHO.