search

CybercentreCanada / CCCS-Yara

YARA rule metadata specification and validation utility / Spécification et validation pour les règles YARA
MIT License
98 stars 19 forks source link

How to describe cases when a yara rule have multiple hashes #69

Closed LordNoteworthy closed 1 year ago

LordNoteworthy commented 1 year ago

Hello,

Sometimes, it is useful to reference more than one hash in a yara rule, this comes often when we have a same malware family, but multiple versions.

What's the best way to do that ? I saw some people just separating hashes with a ,.

cccs-jp commented 1 year ago

Yara metadata doesn't prohibit using the same key twice. We have been using:

hash = "..." hash = "..."

The rule validation engine should not prevent that on the hash key.

Hope it helps.

LordNoteworthy commented 1 year ago

Perfect ! Thanks a lot for your quick feedback.