LinkedIn
Twitter
Let's look at how we can use reference lists in our YARA-L rules in Google SecOps.
Reference lists provide a simple way to identify multiple values within a single field for a rule without having to build an OR statement. For example, if there were five IP addresses we wanted to find, writing field = value1 or field = value2 and so on would get pretty tedious. Instead, we can build a reference list, add the values of interest and simply use the syntax of UDM_field IN %list_name.
Today, we are going to use a string reference list. In future videos, we will cover additional reference list types; regex and cidr. Follow along in the video below to see how reference lists can be used in a YARA-L rule.
We highlighted how to use a string reference list to find multiple values within a field without writing a large OR statement. This syntax can also be used in search and these reference lists can be reused in multiple rules making them nice and portable. While we only covered the string reference list today, there are additional cidr and regex options that we will explore in future videos that provide additional flexibility depending upon the use case.
Check out these additional resources with more information and learning opportunities: