mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-17 13:15:16 +03:00
36 lines
1.4 KiB
Markdown
36 lines
1.4 KiB
Markdown
# YARA Rule Development Standards
|
|
|
|
## Rule Naming Convention
|
|
- `Malware_Family_Variant`: For specific malware variants
|
|
- `APT_Group_Tool`: For threat actor associated tools
|
|
- `Exploit_CVE_YYYY_NNNN`: For exploit payloads
|
|
- `Technique_Name`: For generic technique detection
|
|
|
|
## Rule Quality Metrics
|
|
| Metric | Target | Description |
|
|
|--------|--------|-------------|
|
|
| True Positive Rate | >99% | Detection of known samples |
|
|
| False Positive Rate | <0.1% | Matches on clean files |
|
|
| Scan Speed | >1000 files/s | Processing performance |
|
|
| Maintenance Burden | Low | Frequency of updates needed |
|
|
|
|
## String Types Reference
|
|
| Type | Syntax | Use Case |
|
|
|------|--------|----------|
|
|
| ASCII text | `"text" ascii` | Plain text strings |
|
|
| Wide text | `"text" wide` | UTF-16LE encoded strings |
|
|
| Case-insensitive | `"text" nocase` | Variable casing |
|
|
| Hex pattern | `{ AA BB CC }` | Byte sequences |
|
|
| Wildcard hex | `{ AA ?? CC }` | Single byte wildcard |
|
|
| Jump hex | `{ AA [2-4] CC }` | Variable length gap |
|
|
| Regex | `/pattern/` | Complex pattern matching |
|
|
|
|
## MITRE ATT&CK Relevance
|
|
- T1027 - Obfuscated Files: Rules detect packed/encoded malware
|
|
- T1036 - Masquerading: Rules identify file mimicry
|
|
- T1059 - Command Interpreter: Rules detect malicious scripts
|
|
|
|
## References
|
|
- [YARA Documentation](https://yara.readthedocs.io/)
|
|
- [YARA Performance Guidelines](https://yara.readthedocs.io/en/stable/writingrules.html)
|