search

ditekshen / detection

Detection in the form of Yara, Snort and ClamAV signatures.
Other
201 stars 38 forks source link

fix: very noisy rule #24

Closed Neo23x0 closed 6 months ago

Neo23x0 commented 7 months ago

rule causes many false positives and should be reworked / disabled

ditekshen commented 7 months ago

If Microsoft removed Equation Editor 3.0 in CVE-2018-0802 with further comments about this here, and if we encounter a document with equation editor in 2023 / 2024, do we consider it bad or normal, or am I misinterpreting this? Thoughts?

The security update addresses the vulnerability by removing Equation Editor functionality.

I honestly did not investigate if the new equation editor has the same signature or a different one or if it can be distinguished.

Neo23x0 commented 7 months ago

Oh, yes, it very much depends on the use case.

For example, if you apply this YARA rule to incoming email attachments, it is relevant (at least for recipients with outdated Microsoft Office versions).

But if you scan systems or file servers with this rule, it is of course very noisy. I need to think about this issue and how to handle that for users of my YARA Forge rule sets. I think for the time being I'm just going to disable the rule in my rule sets by giving it a very low score.

https://github.com/YARAHQ/yara-forge/pull/13/files

ditekshen commented 7 months ago

Malicious documents can be and have been delivered via channels outside the realm of email systems. A considerable chunk of that traffic is as second stage over HTTP(S). I think I would like to know if a vulnerable condition is being delivered even if the client is not vulnerable; which can contribute as a good source of intel.

That said, I totally agree with you and I am not opposed to completely disabling the rule after some further thinking. Thanks!

Neo23x0 commented 7 months ago

delivered via channels outside the realm of email systems

I think you know that I know that. The sentence started with "for example" to indicate that everything that follows is to be regarded as an example.

The point that I tried to make is that it matters if someone applies that rule to elements in "delivery" or "at rest".

I think as I discover more examples like this, I may decide to create more specific rule sets tailored to the use case.

ditekshen commented 7 months ago

I honestly do not know. It is good to have extra information if someone stumbles upon similar conversations.

Applicability is at the discretion of the implementer. Only the implementers of the particular use case knows better, it will never fit all.

That would be a good idea.