UUID for Yara Rules to uniquely identify the rule
adulau opened this issue · 3 comments
adulau commented
I was wondering if it's not possible to add an UUID to uniquely identify the rule. We are working on an open source project called CyCAT.org where we catalogue open source security resources.
RandomRhythm commented
Anything is possible, but having consistency with adding voluntary metadata across everyone writing YARA rules seems like a major challenge.
Not sure exactly what you are trying to accomplish with the UUID, but my initial thought would be to use the rule name as the UUID. Rules with the same name are most likely the same exact rule or a different version/edition of the rule. Rule names are how YARA references the rules and there cannot be duplicate rule name values when using the rules together. While there is no system to limit duplication, the rule names will likely be unique per rule set. If you need something unique per rule for tracking then hashing could be used.
From: Alexandre Dulaunoy ***@***.***
Sent: Sunday, August 15, 2021 2:23 AM
To: Yara-Rules/rules
Cc: Subscribed
Subject: [Yara-Rules/rules] UUID for Yara Rules to uniquely identify the rule (#418)
I was wondering if it's not possible to add an UUID to uniquely identify the rule. We are working on an open source project called CyCAT.org where we catalogue open source security resources.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub <#418> , or unsubscribe <https://github.com/notifications/unsubscribe-auth/AEOC64EY3HCKUBMAE7MA4BDT452M7ANCNFSM5CF6CGBA> .
Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&utm_campaign=notification-email> . <https://github.com/notifications/beacon/AEOC64DR4B745HMEJT5R5KDT452M7A5CNFSM5CF6CGBKYY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4OPBQD5Q.gif>
Xumeiquer commented
Hi @adulau, I fully understand your idea but adding a UUID on each rule will be unmanageable. You can use the rule name as identifier as suggested by @RandomRhythm or you can try to hash the whole .yar file so you will be the one responsable of managing those hashes without impacting on anything else.
Xumeiquer commented
no activity