search

cuckoosandbox / community

Repository of modules and signatures contributed by the community
324 stars 175 forks source link

Scoring custom Yara-based signature #481

Closed claudioquincy closed 4 years ago

claudioquincy commented 4 years ago

To better understand inner working of signatures, I created following test signature, based on Yara, that matches download functions from Office Macros. The problem is, when rule matches, a 10/10 score is assigned, whatever the severity is.

from lib.cuckoo.common.abstracts import Signature

class YaraMaldocDL(Signature):
    name = "YaraMaldocDL"
    description = "Macro Downloader"
    severity = 2
    categories = ["script", "malware", "downloader"]
    authors = ["Just Testing"]
    minimum = "2.0.4"

    def on_yara(self, category, filepath, match):
        if match.name != "MacroDownStream":
            return

        self.mark_config({
            "family": "Macro Downloader",
        })
        return True
claudioquincy commented 4 years ago

Issue closed. I could not find anything in the docs, but when "family" is set, score is automatically set to 10.