The problem with "LOG" rules in the public repo is that not only THOR Lite uses that repo but also LOKI and other people with their YARA scanning engines that wouldn't apply "LOG" rules in the right way.
Just recently I had a problem with LOG_LibSSH_Auth_Bypass_CVE_2023_2283_Jun23_1 that caused many FPs because it matched on many different files, not just log lines in log files.
Neo23x0
commented
1 year ago
The problem with "LOG" rules in the public repo is that not only THOR Lite uses that repo but also LOKI and other people with their YARA scanning engines that wouldn't apply "LOG" rules in the right way. Just recently I had a problem with
LOG_LibSSH_Auth_Bypass_CVE_2023_2283_Jun23_1that caused many FPs because it matched on many different files, not just log lines in log files.