YARA object to include hashes of files that give both positive and negative results

[geekscrapy]

Suggestion is to have hash values included in the YARA object. This would allow correlation between malware samples and YARA rules that return true positives (and also false positives).

This would allow:

• Tracking of a files that give true positive and false positives
• Provide a mechanism for highlighting files that could be used to test new revisions of a YARA rule
• Correlation between a malware sample and a YARA rule
• As a result of correlation, this would provide a mechanism whereby users are aware of their YARA ruleset coverage against their malware samples

[adulau]

It's a good idea. I'm just wondering what's the best way to do it:

• A new dedicated object for "matching-binaries" which could be linked with a relationship to rulesets (objects or attributes) in general (YARA or others)

• Extend the current YARA object with a field SHA256 which can be multiple

[geekscrapy]

Would this new object be too much overlap with the existing file object?

Also, updating the relationships and objects would become quite messy when the YARA rule is updated.

I might say, an addition to the yara object might be best, with multiple hash types available (not just sha256).