velociraptor icon indicating copy to clipboard operation
velociraptor copied to clipboard

Published 20 hours ago verified publisher icon Velocidex

Yara artifact should give hints for urls

Open Firstyear opened this issue 2 years ago • 6 comments

The yara artifact has an option to provide urls for yara rules. It would be useful for new users to document or provide some urls here as hints to where they may be able to access and download these rules from to aid discoverability and investigation.

Firstyear avatar Mar 20 '23 06:03 Firstyear

Im not sure what to do about this - the yara url is basically a url a user can use to share their own yara files. It is a mechanism to allow large files to be pushed to the endpoints (e.g. by hosting in bucket or elsewhere). It is not usually used for a public yara source (although it can be).

scudette avatar Apr 14 '23 02:04 scudette

I think I raised this after your talk at everything open - When I was following the tutorial, just seeing the yara rule section and that you could provide a url, I didn't know "where" I could get such a url from or where I could get these rules from. So I think what would be good is to add something like:

""" For more information about yara rules visit . There are publicly available repositories of rules at:

  • source 1
  • source 2 """

Basicly, enough info and context to help a person who finds this artifact to further their knowledge about what yara is, and where they might get rules from.

Firstyear avatar Apr 14 '23 02:04 Firstyear

A different way to frame it - Imagine you have just started working with velociraptor, and you're clicking around these artefacts and you find this one about yara rules. What context on this artefact could help someone who has never before heard of a yara rule learn more about what they are and how they could use them effectively? What information could help guide them and enable them to start learning about and using this artefact successfully?

Firstyear avatar Apr 14 '23 02:04 Firstyear

The issue is most of the publicly shared repo's are terrible for practical yara scanning.

Some rules will work for some usecases, others for disk only etc etc An example of some nuance with a yara set with MZ header position or PE references

  • positional references for process scanning just doesnt work although we can use the VAD artifact for this now :) )
  • where they may work, disk scanning is costly so its rare to run a kitchen sink yara.

I have a note to share some more things around this topic though!

mgreen27 avatar Apr 14 '23 02:04 mgreen27

It sounds like this is mostly a documentation/training gap - we probably need a page on the docs site to explain the nuances and just link to it in the code?

scudette avatar Apr 14 '23 02:04 scudette

It could also be worth linking to those docs from the artefact too. Could be a good prompt in general for artefacts to have doc links anyway for more than just this context :)

Firstyear avatar Apr 16 '23 03:04 Firstyear