This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
Webinar May 14th: Gemini's generative AI within Google SecOps
Webinar May 29th: Log Ingestion: Bindplane + Google SecOps
Log in to ask a question

Detect if a log field exists

Posted on 09-25-2023 11:46 AM
AThebrand
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

Hi everyone. 

Recently I'm writing some detection rules in YARA-L for my company. 

I have a rule that simply match the following: 

 

$selection.target.process.file.full_path = /\/bin\/bash/ and not
            (
                $selection.target.ip="127.0.0.1" or
                $selection.target.ip="0.0.0.0"
            )
 
This rule generates a lot of false positives every time the field target.ip is missing. I would like to trigger the rule only when that field exists and it's not equal certain values. 
So.. how can I check the existence of a field in YARA-L?
 
Thanks
1 2 2,889
Topic Labels
2 REPLIES 2
Top Solution Authors
View all