This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Detect if a log field exists

Posted on 09-25-2023 11:46 AM
AThebrand
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

Hi everyone. 

Recently I'm writing some detection rules in YARA-L for my company. 

I have a rule that simply match the following: 

 

$selection.target.process.file.full_path = /\/bin\/bash/ and not
            (
                $selection.target.ip="127.0.0.1" or
                $selection.target.ip="0.0.0.0"
            )
 
This rule generates a lot of false positives every time the field target.ip is missing. I would like to trigger the rule only when that field exists and it's not equal certain values. 
So.. how can I check the existence of a field in YARA-L?
 
Thanks
1 2 975
Topic Labels
2 REPLIES 2

Posted on --/--/---- --:-- AM
jstoner
Staff
Reply posted on --/--/---- --:-- AM

I always like to start with something that contextualizes the subset of data I am working with, for example metadata.event_type = "PROCESS_LAUNCH" or other process event types that likely contain a value for full_path. Alternatively, metadata.product_event_type is more specific to the specific tools you use but is a good way to quickly narrow the data set being considered and makes the rule more performant.

Even without any of that, you could also remove the not and the or statement and convert it to a does not equal with ands like this:

$selection.target.process.file.full_path = /\/bin\/bash/ and

$selection.target.ip != "" and
$selection.target.ip != "127.0.0.1" and
$selection.target.ip != "0.0.0.0"
 
Or, if you wanted to keep the format and style you have with using the NOT in front of the parenthesis with or separating each of the IPs, just add a target ip cannot be null before the condition that works through your listing of IPs. This way you drop all the null values and then process your other named IPs to exclude.
 
$selection.target.process.file.full_path = /\/bin\/bash/ and
$selection.target.ip != "" and not
            (
                $selection.target.ip="127.0.0.1" or
                $selection.target.ip="0.0.0.0"
            )
 
 Hope that helps!

Posted on --/--/---- --:-- AM
malvarez
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

I believe that the UDM field target.ip is limited to metadata.event_type *_NETWORK, NETWORK_*, STATUS_UPDATE or similiar. Per your YARA-l rule the UDM field target.process.file.full_path = /\/bin\/bash/ would be specific to event type 'PROCESS_LAUNCH' , which, in your rule - you'll never get the target.ip field to populate. However, if it did, you could simply do:

 

$selection.target.process.file.full_path = /\/bin\/bash/ 
$selection.target.ip != "" and not
            (
                $selection.target.ip="127.0.0.1" or
                $selection.target.ip="0.0.0.0"
            )

please note that you can simplify it by using the following:

$selection.target.process.file.full_path = /\/bin\/bash/
$selection.target.ip = $ip
$ip != ""
($ip != "127.0.0.1" or $ip != "0.0.0.0" )

 

0 Likes