Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

File name and type in TagCheck rules (& YARA rules) to be used for matching #269

Closed
cccs-rs opened this issue Sep 23, 2024 Discussed in #264 · 3 comments · Fixed by CybercentreCanada/assemblyline-service-yara#122
Closed

File name and type in TagCheck rules (& YARA rules) to be used for matching #269

cccs-rs opened this issue Sep 23, 2024 Discussed in #264 · 3 comments · Fixed by CybercentreCanada/assemblyline-service-yara#122
Assignees
@cccs-rs
Labels
accepted This issue was accepted, we will work on this at some point bug Something isn't working service-tagcheck service-yara Related to YARA service

Comments

@cccs-rs
Copy link
Contributor

cccs-rs commented Sep 23, 2024

Discussed in #264

Originally posted by kam193 September 19, 2024
I use TagCheck service to mark some indicators - and this is a great feature! However, I could potentially lower the number of false positives if I could filter out given file names and types (in my use case, the file name often matters more than type).

And here comes my question: is it already supported by TagCheck? I'm not sure if I don't miss something: generally, TagCheck seems to get only data from Tagging ODM models (tagcheck/tagcheck.py#L9), which, I think, do not usually contain those data. I see however mentioning e.g. file_type in the default YARA_EXTERNALS (yara_/helper.py#L13), but it looks to be used only in the default Yara service (yara_/yara_.py#L57 - and BTW, won't they get the al_al_ prefix in the yara_/yara_.py#L64?).

So, I'm unsure if I didn't miss anything. Is the case of matching name and/or type of the submitted file already supported?
@cccs-rs cccs-rs added bug Something isn't working accepted This issue was accepted, we will work on this at some point service-yara Related to YARA service service-tagcheck labels Sep 23, 2024
@cccs-rs cccs-rs self-assigned this Sep 23, 2024
kam193 added a commit to kam193/assemblyline-service-yara that referenced this issue Oct 12, 2024
@kam193
Add externals to TagCheck, fix handling them
3c288eb 
TagCheck support now the default YARA_EXTERNALS together
with tag data. The usage of YARA_EXTERNALS was unified across
all classes. In collecting values of externals, fixed using keys
with prefix against original fields as well as attempts to
get values from __dict__, which does not contain properties

Closes CybercentreCanada/assemblyline#269
@kam193 kam193 mentioned this issue Oct 12, 2024
Merged
@kam193
Copy link

kam193 commented Oct 12, 2024

@cccs-rs I've created a PR that handles that as well as fixes using externals - there were a few other issues in handling them as well. Would you have a second to take a look and test on your end?

@kam193
Copy link

kam193 commented Oct 16, 2024

Thank you!

@cccs-rs
Copy link
Contributor Author

cccs-rs commented Oct 16, 2024

No no, thank you! 🥰

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@cccs-rs cccs-rs

Labels
accepted This issue was accepted, we will work on this at some point bug Something isn't working service-tagcheck service-yara Related to YARA service
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add externals to TagCheck, fix handling them kam193/assemblyline-service-yara
2 participants
@kam193 @cccs-rs