Solved: Re: Understanding YARA-L Rules

CyberSnacker82

Hello! I'm working on a YARA-L detection project and need some guidance. I'm trying to create a rule to detect if the same user connects to the same domain at regular intervals. Here's what I have so far:

I want to track the times of each connection (for example, if a user accesses Spotify 4 times within 10 minutes) and calculate the time differences between each connection. My goal is to determine if the connections happen at consistent intervals (e.g., every 2 minutes), which could indicate beaconing behavior. If the intervals aren't consistent, I want to ignore them.

After researching, I found that YARA-L doesn't support complex functions for this kind of stuff. What do you recommend as an alternative to functions? Any ideas would be greatly appreciated!

AymanC

Hi CyberSnacker82,

The use of metrics within Risk Analytics is probably better suited for use cases similar to this - https://cloud.google.com/chronicle/docs/detection/metrics-functions

However, the following rule logic should work, and identifies two events where the timestamp between both are equal to 120 seconds (2 minutes) matching via the host and domain over a 10 minute period.

rule Network_Dns_Interval_Rule_Test {
  meta:
    author = "Ayman Charkaui"
  events:
    $First = $e1.metadata.event_timestamp.seconds
    $e1.metadata.event_type = "NETWORK_DNS"
    $e1.principal.hostname = $host
    $e1.network.dns.questions.name = $domain

    $Second = $e2.metadata.event_timestamp.seconds
    $e2.metadata.event_type = "NETWORK_DNS"
    $e2.principal.hostname = $host
    $e2.network.dns.questions.name = $domain

    $First - $Second = 120

  match:
   $host, $domain over 10m

   outcome:

   $FirstTimestap = array_distinct($First)
   $SecondTimestamp = array_distinct($Second)

 condition:
   $e1 and $e2
}

This can be extended to capture for example 4 events, all occurring 120 seconds within each other, matching on the host and domain over a 10-minute period. The logic for this would be as follows and can be extended. However it is worth noting utilising this sort of logic will likely impact the detection engine's capabilities and could result in a rule body error, or an increase in time to generate an alert. Unfortunately within the instance, this testing is taking place, no events match the criteria to generate an alert, but should work like the above example 🙂

rule Network_Dns_Interval_Rule_Test {
  meta:
    author = "Ayman Charkaui"
  events:
    $First = $e1.metadata.event_timestamp.seconds
    $e1.metadata.event_type = "NETWORK_DNS"
    $e1.principal.hostname = $host
    $e1.network.dns.questions.name = $domain

    $Second = $e2.metadata.event_timestamp.seconds
    $e2.metadata.event_type = "NETWORK_DNS"
    $e2.principal.hostname = $host
    $e2.network.dns.questions.name = $domain

    $Third = $e3.metadata.event_timestamp.seconds
    $e3.metadata.event_type = "NETWORK_DNS"
    $e3.principal.hostname = $host
    $e3.network.dns.questions.name = $domain

    $Fourth = $e4.metadata.event_timestamp.seconds
    $e4.metadata.event_type = "NETWORK_DNS"
    $e4.principal.hostname = $host
    $e4.network.dns.questions.name = $domain

    $First - $Second = 120
    $Second - $Third = 120
    $Third - $Fourth = 120

  match:
   $host, $domain over 10m

 condition:
   $e1 and $e2 and $e3 and $e4
}

Hope this helps!

Kind Regards,

Ayman C

View solution in original post

AymanC

Hi CyberSnacker82,

The use of metrics within Risk Analytics is probably better suited for use cases similar to this - https://cloud.google.com/chronicle/docs/detection/metrics-functions

However, the following rule logic should work, and identifies two events where the timestamp between both are equal to 120 seconds (2 minutes) matching via the host and domain over a 10 minute period.

rule Network_Dns_Interval_Rule_Test {
  meta:
    author = "Ayman Charkaui"
  events:
    $First = $e1.metadata.event_timestamp.seconds
    $e1.metadata.event_type = "NETWORK_DNS"
    $e1.principal.hostname = $host
    $e1.network.dns.questions.name = $domain

    $Second = $e2.metadata.event_timestamp.seconds
    $e2.metadata.event_type = "NETWORK_DNS"
    $e2.principal.hostname = $host
    $e2.network.dns.questions.name = $domain

    $First - $Second = 120

  match:
   $host, $domain over 10m

   outcome:

   $FirstTimestap = array_distinct($First)
   $SecondTimestamp = array_distinct($Second)

 condition:
   $e1 and $e2
}

This can be extended to capture for example 4 events, all occurring 120 seconds within each other, matching on the host and domain over a 10-minute period. The logic for this would be as follows and can be extended. However it is worth noting utilising this sort of logic will likely impact the detection engine's capabilities and could result in a rule body error, or an increase in time to generate an alert. Unfortunately within the instance, this testing is taking place, no events match the criteria to generate an alert, but should work like the above example 🙂

rule Network_Dns_Interval_Rule_Test {
  meta:
    author = "Ayman Charkaui"
  events:
    $First = $e1.metadata.event_timestamp.seconds
    $e1.metadata.event_type = "NETWORK_DNS"
    $e1.principal.hostname = $host
    $e1.network.dns.questions.name = $domain

    $Second = $e2.metadata.event_timestamp.seconds
    $e2.metadata.event_type = "NETWORK_DNS"
    $e2.principal.hostname = $host
    $e2.network.dns.questions.name = $domain

    $Third = $e3.metadata.event_timestamp.seconds
    $e3.metadata.event_type = "NETWORK_DNS"
    $e3.principal.hostname = $host
    $e3.network.dns.questions.name = $domain

    $Fourth = $e4.metadata.event_timestamp.seconds
    $e4.metadata.event_type = "NETWORK_DNS"
    $e4.principal.hostname = $host
    $e4.network.dns.questions.name = $domain

    $First - $Second = 120
    $Second - $Third = 120
    $Third - $Fourth = 120

  match:
   $host, $domain over 10m

 condition:
   $e1 and $e2 and $e3 and $e4
}

Hope this helps!

Kind Regards,

Ayman C