misp-objects icon indicating copy to clipboard operation
misp-objects copied to clipboard
verified publisher icon MISP

YARA object to include hashes of files that give both positive and negative results

Open geekscrapy opened this issue 6 years ago • 2 comments

Suggestion is to have hash values included in the YARA object. This would allow correlation between malware samples and YARA rules that return true positives (and also false positives).

This would allow:

  • Tracking of a files that give true positive and false positives
  • Provide a mechanism for highlighting files that could be used to test new revisions of a YARA rule
  • Correlation between a malware sample and a YARA rule
  • As a result of correlation, this would provide a mechanism whereby users are aware of their YARA ruleset coverage against their malware samples

geekscrapy avatar Feb 28 '19 18:02 geekscrapy

It's a good idea. I'm just wondering what's the best way to do it:

  • A new dedicated object for "matching-binaries" which could be linked with a relationship to rulesets (objects or attributes) in general (YARA or others)

  • Extend the current YARA object with a field SHA256 which can be multiple

adulau avatar Apr 07 '19 20:04 adulau

Would this new object be too much overlap with the existing file object?

Also, updating the relationships and objects would become quite messy when the YARA rule is updated.

I might say, an addition to the yara object might be best, with multiple hash types available (not just sha256).

geekscrapy avatar Apr 07 '19 22:04 geekscrapy