Updated YARA rules do not re-alert #5
Comments
|
Unfortunately, this is going to be a bit tricky, as neither YARA or yara-python provide access to internal rule logic, so it's currently not possible to compute a hash of rule logic. The best solution (which would also help support the ability to lint and modify YARA rules) would be to have a full Python YARA parser. |
|
Another caveat: just because a rule was slightly modified does not necessarily mean we would want to re-alert on all previous matches. This requires some more consideration |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
All YARA matches are saved to DynamoDB, but alerts are only sent to SNS if the YARA rule name has not matched before on the given binary. There are two problems with this:
Instead of looking up based on the rule name, there should be a comparison against some kind of hash of the YARA rule contents
The text was updated successfully, but these errors were encountered: