rule date in matches

[ruppde]

hi,

some rules have a modfied-header, but that's not used in the output of log results RULEDATE_x, e.g. for this rule:

        date = "2021/01/09"
        modified = "2023-04-05"

... the putput is:

...
REASON_2: YARA rule EXT_WEBSHELL_PHP_Function_Via_Get / Webshell which sends eval/assert via GET SUBSCORE_2: 75 REF_2: Internal Research SIGTYPE_2: internal SIGCLASS_2: YARA Rule MATCHED_2: Str1: "$_POST['productid']($_POST[" in "<?php\x0ahttp_response_code(404);\x0a@$_POST['productid']($_POST['languageID']);" at 0x20 RULEDATE_2: 2021-01-09 TAGS_2: T1505_003, VENDOR, WEBSHELL RULENAME_2: EXT_WEBSHELL_PHP_Function_Via_Get AUTHOR_2: Arnim Rupp (https://github.com/ruppde)

but getting the modified date would be more useful because that really shows, which version was used.

proposal: if there is modfied-date, use it for RULEDATE_x.

regards
arnim

[secDre4mer]

Hi Arnim,

Thanks for the suggestion, I've made the proposed change. It will be part of the next 10.7 release.

Regards, Max