search

CybercentreCanada / CCCS-Yara

YARA rule metadata specification and validation utility / Spécification et validation pour les règles YARA
MIT License
93 stars 19 forks source link

Recommended changes #52

Closed Neo23x0 closed 1 year ago

Neo23x0 commented 1 year ago

I wonder why you haven't looked a the thousands of published YARA rules before you've decided on the fields in your standard.

I recommend the following changes to align your specs with the best practices in the real world: 

source > reference

^ source could imply that the rule was copied from somewhere else, although most often it's derived from a sample or blog article.

first_imported > date

what does first imported even mean? It implies that you "import" a YARA rule somewhere and limits the field to that use case. 

last_modified > modified

The prefix last_ is unnecessary.

Recommended further fields currently missing: 

minimum_yara

^ indicating the minimal YARA version required to run the rule. This is very important since new modifiers, module features and keywords get added every few months. (e.g. icontains, xor)

e.g. 

minimum_yara = "4.2"

Furthermore, have you considered using the YARA tags instead of certain fields? For tags of all kinds, one could add a field tags and format it as a comma separated list.

e.g. 


rule EXPL_LOG_ProxyNotShell_OWASSRF_PowerShell_Proxy_Log_Dec22_1_RID3C7E {
   meta:
      description = "Detects traces of exploitation activity in relation to ProxyNotShell MS Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082"
      author = "Florian Roth"
      reference = "https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/"
      date = "2022-12-22 21:14:11"
      score = 70
      customer = "demo"
      license = "CC-BY-NC https://creativecommons.org/licenses/by-nc/4.0/"

      tags = "CVE_2022_41040, CVE_2022_41082, DEMO, EXPLOIT, HKTL, LOG, SCRIPT, T1028, T1059_001, T1086, T1090"
      minimum_yara = "1.7"

   strings:
      $s1 = "/owa/mastermailbox%40outlook.com/powershell" ascii wide
      $sa1 = " 200 " ascii wide
      $sa2 = " POST " ascii wide
      $fp1 = "ClientInfo" ascii wide fullword
      $fp2 = "Microsoft WinRM Client" ascii wide fullword
      $fp3 = "Exchange BackEnd Probes" ascii wide fullword
   condition: 
      all of ( $s* ) and not 1 of ( $fp* )
}

Following your approach, e.g. with the fields mitre_att and sharing, we would get an ever growing specification with many more fields. A field that lists all tags would be more ... practical IMHO.

cccs-jp commented 1 year ago

Hi @Neo23x0 :) Thanks for your feedback!

We will implement your recommendations.

We already have support for the reference, the source is meant to be a provider or a vendor. see all fields here we implement/validate here: https://github.com/CybercentreCanada/CCCS-Yara/blob/master/CCCS_YARA.yml

Cheers

Neo23x0 commented 1 year ago

Great, thanks