First, thanks for sharing your rules with the community!

I was wondering if you would be interested in using the CCCS Yara metadata standard for your rules metadata?
see: https://github.com/CybercentreCanada/CCCS-Yara

It would allow your rules to integrate seamlessly with Assemblyline: https://cybercentrecanada.github.io/assemblyline4_docs/

Cheers!

Hi JP - thanks for reaching out! 😄

That does indeed sound interesting - I'm familiar with AL, so would be happy to help integrate the rules.

What is the minimum amount of metadata needed for the rules? As of now I'm using my own structure, and would like to align this as much as possible with the CCCS standard.

Thanks!

You can have a quick look at the fields, anything marked Optional: Yes is optional, you'll see that most fields are: see https://github.com/CybercentreCanada/CCCS-Yara/blob/master/CCCS_YARA.yml

In addition some of the other fields are auto-generated by the cli tool.
For Assemblyline the most important fields are: category, (info|exploit|technique|tool|malware).
actor_type, and actor are optional but really useful for know groups, theses are also used to auto-populate the mitre information.

Let me know if you hit any road blocks we should be able to help!

Would you be interested in us doing a PR with the extra metadata? If not we will convert your rules internally and we can close this. Cheers :)

Hi JP,

Apologies for the delayed reply.

Yes, a PR would be lovely! 😃

PR created!

Thanks all - squashed & merged. Appreciate it! 👍