Hi everyone.
Recently I'm writing some detection rules in YARA-L for my company.
I have a rule that simply match the following:
I always like to start with something that contextualizes the subset of data I am working with, for example metadata.event_type = "PROCESS_LAUNCH" or other process event types that likely contain a value for full_path. Alternatively, metadata.product_event_type is more specific to the specific tools you use but is a good way to quickly narrow the data set being considered and makes the rule more performant.
Even without any of that, you could also remove the not and the or statement and convert it to a does not equal with ands like this:
$selection.target.process.file.full_path = /\/bin\/bash/ and
I believe that the UDM field target.ip is limited to metadata.event_type = *_NETWORK, NETWORK_*, STATUS_UPDATE or similiar. Per your YARA-l rule the UDM field target.process.file.full_path = /\/bin\/bash/ would be specific to event type 'PROCESS_LAUNCH' , which, in your rule - you'll never get the target.ip field to populate. However, if it did, you could simply do:
please note that you can simplify it by using the following: