This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
Webinar May 14th: Gemini's generative AI within Google SecOps
Webinar May 29th: Log Ingestion: Bindplane + Google SecOps
Log in to ask a question

Boolean conditions & rule execution performance

Posted on 07-19-2024 07:48 AM
chrisd2
Bronze 5
Bronze 5
Reply posted on --/--/---- --:-- AM

Hello guys,

Let's say I have a YARA-L rule I want to tune. I have a host-based whitelist and a username-based whitelist. I don't want any alert if the user in the log is in the username-based whitelist or if the host in the log is in the host-based whitelist.

There are two ways of writing it in the events section :

[...previous detection logic...]
not $e.principal.hostname in %whitelist_hostname
not $e.principal.user.user_id in %whitelist_username

vs.

[...previous detection logic...]
not (
    $e.principal.hostname in %whitelist_hostname
    or $e.principal.user.user_id in %whitelist_username
)

Which one is the best way, in consideration of rule execution performance, to implement this logic in YARA-L ?

1 3 174
Topic Labels
3 REPLIES 3

Posted on --/--/---- --:-- AM
dnehoda
Staff
Reply posted on --/--/---- --:-- AM

Hey Chrisd2, 

Iโ€™d put them both in the same rule.  Comment out the lines for one retro hunt and then comment out the other lines for another retro hunt run.  


Iโ€™d time both.   They both still have to check against the ref lists in play here.  


However, I donโ€™t believe you will see any difference in performance.  

Let me know if you find some anomaly here. Thanks! 

Posted on --/--/---- --:-- AM
chrisd2
Bronze 5
Bronze 5
Reply posted on --/--/---- --:-- AM

I'll check this week and add a comment here !

Do you know if there are any built-in tools to measure rule execution time ?

When the SIEM throttles the execution frequency for a rule, iirc a JSON element is logged and accessible through the ruleExecutionError API endpoint, but that's the only "tool" I know.

0 Likes

Posted on --/--/---- --:-- AM
ScottieJ
Staff
Reply posted on --/--/---- --:-- AM

Chrisd2

I have not tried this but the Rules do support the use of the function, timestamp.current_seconds(). You could capture this value before and after the white list is referenced into two variables and then assign a third variable the difference between the two. Do this for both types of checking and run it over time to see if the results are consistently significant. If you wanted to format the unix integer , you could try using the function timestamp.get_timestamp.

References

Top Solution Authors
View all