binaryalert icon indicating copy to clipboard operation
binaryalert copied to clipboard
verified publisher icon airbnb

Updated YARA rules do not re-alert

Open austinbyers opened this issue 8 years ago • 2 comments

All YARA matches are saved to DynamoDB, but alerts are only sent to SNS if the YARA rule name has not matched before on the given binary. There are two problems with this:

  1. Rules which are renamed or reorganized will re-trigger alerts
  2. Rules whose content changes (e.g. a different rule condition) will not re-trigger an alert

Instead of looking up based on the rule name, there should be a comparison against some kind of hash of the YARA rule contents

austinbyers avatar Jul 25 '17 13:07 austinbyers

Unfortunately, this is going to be a bit tricky, as neither YARA or yara-python provide access to internal rule logic, so it's currently not possible to compute a hash of rule logic.

The best solution (which would also help support the ability to lint and modify YARA rules) would be to have a full Python YARA parser.

austinbyers avatar Aug 25 '17 00:08 austinbyers

Another caveat: just because a rule was slightly modified does not necessarily mean we would want to re-alert on all previous matches. This requires some more consideration

austinbyers avatar Jan 10 '18 20:01 austinbyers