This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

how to use data tables in YARA L Rules

Posted a week ago
Khushboo14
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM
Show More
I want to create a data table with users and IP subnet that has to be whitelisted from a detection rule. How can i do that. I have tried it this way as attached but it is not working. Can someone help me.

Khushboo14_0-1748347635403.pngKhushboo14_1-1748348265630.png

 

0 2 148
Topic Labels
0 Likes
2 REPLIES 2

Posted on --/--/---- --:-- AM
jstoner
Staff
Reply posted on --/--/---- --:-- AM

To perform a row match, at least one of the values in that row match must equal a value in the list. So user id would need to align to something in the list but then the cidr does not.

I could see a row match being something like this

principal.user.userid = %data_table.user
NOT net.ip_in_range_cidr($dns.principal.ip,%data_table.ip_subnet)

 

0 Likes

Posted on --/--/---- --:-- AM
_K_O
Silver 1
Silver 1
Reply posted on --/--/---- --:-- AM

It looks like you're referencing it correctly. On the bottom left of the screen, does the table show as active in the detection? It should populate with the data table that is currently in use:

_K_O_0-1748349629198.png

Alternatively, you can go to the data tables and view the "REFERENCED BY" tab. 

If it is being referenced correctly, then the troubleshooting can be limited to syntax. I have also used the "not" expression for the data tables and it seems almost identical:

_K_O_1-1748349849110.png

 

0 Likes
Top Solution Authors
View all