Feature request, store the yara rule name #4858
Comments
|
You can add a yara object in MISP. Let me know if you want an additional field with the yara rule name. |
|
Hi adulau, yes please, I want an additional field with the yara rule name. And in this case, allow to leave as null the YARA rule body if the yara rule name is set, does this make sense? thx |
…nly field As requested in MISP/MISP#4858
|
Thank you for the idea. This is now in the yara object template and the object can be expressed with the yara rule or the yara rule name alone. The objects are also updated in MISP and the documentation. If you see something else, missing in the object templates don't hesitate. |
|
Thanks very much for your help adulau, should I simply update MISP to apply the new template or is it a file I can search and replace on the server? |
|
Sure, you can do the following via the cli (or update via the Web interface) : git pull origin 2.4
git submodule updatethen go to the Web interface in Global Action - List Object Templates then you can click on 'Update Objects' in the menu to update the object templates. |
|
Thanks for your help :D, have a great day. |
Hi, this is a feature request.
Currently MISP is able to store the YARA rule content that was used to detect a malicious file. But there is no specific type to only store the yara rule name. This is handy when the actual YARA rule is stored somewhere else, but it is still useful to know the name of the rule that was used to detect a specific file. Based on the description of "Support Tool" category, it seems that it is the best fit for this use case, as an automatic tool detecting files would not immediately know in what phase of the attack this file was used, such as "Payload Delivery, Network Activity", etc.
In this case, would it be possible to add another type on Support Tool category called yara-rule-name, or similar? Thank you
The text was updated successfully, but these errors were encountered: