Merge branch 'master' into new-repos

YARAHQ · Dec 22, 2024 · 52166e2 · 52166e2
2 parents 8e0d670 + 64b373f
commit 52166e2
Show file tree

Hide file tree

Showing 6 changed files with 32 additions and 4 deletions.
diff --git a/.github/workflows/run-yara-forge.yml b/.github/workflows/run-yara-forge.yml
@@ -27,6 +27,9 @@ jobs:
       uses: actions/setup-python@v3
       with:
         python-version: "3.10"
+
+    - name: Install CMake and Ninja
+      run: sudo apt-get install -y cmake ninja-build
 
     - name: Install dependencies
       run: |

diff --git a/.github/workflows/weekly-release.yml b/.github/workflows/weekly-release.yml
@@ -23,6 +23,9 @@ jobs:
       with:
         python-version: "3.10"
 
+    - name: Install CMake and Ninja
+      run: sudo apt-get install -y cmake ninja-build
+
     - name: Install dependencies
       run: |
         python -m pip install --upgrade pip

diff --git a/main/rule_collector.py b/main/rule_collector.py
@@ -101,9 +101,12 @@ def retrieve_yara_rule_sets(repo_staging_dir, yara_repos):
         walk_folder = repo_folder
         if 'path' in repo:
             walk_folder = os.path.join(repo_folder, repo['path'])
+            # Print the processed folder
+            logging.debug("Processing folder: %s", walk_folder)
 
         # Check if the path should be walked 
         recursive = True
+        # Check if the path should be walked
         if 'recursive' in repo:
             recursive = repo['recursive']
 

diff --git a/main/rule_processors.py b/main/rule_processors.py
@@ -33,6 +33,9 @@ def process_yara_rules(yara_rule_repo_sets, YARA_FORGE_CONFIG):
         # Debug output
         logging.info("Processing YARA rules from repository: %s", repo['name'])
 
+        # Keep a list of all rules to avoid duplicates
+        all_rule_names = []
+
         # Loop over the rule sets in the repository and modify the rules
         num_rules = 0
         for rules in repo['rules_sets']:
@@ -168,8 +171,11 @@ def process_yara_rules(yara_rule_repo_sets, YARA_FORGE_CONFIG):
                 # Sort the meta data values
                 rule['metadata'] = sort_meta_data_values(rule['metadata'], YARA_FORGE_CONFIG)
 
-                # We keep the rule
-                kept_rules.append(rule)
+                # We keep the rule if the rule name is not already in the list of rule names
+                if rule_name_new not in all_rule_names:
+                    # Add the rule name to the list of rule names
+                    all_rule_names.append(rule_name_new)
+                    kept_rules.append(rule)
 
             # Count the number of rules
             num_rules += len(kept_rules)

diff --git a/yara-forge-config.yml b/yara-forge-config.yml
@@ -21,7 +21,6 @@ yara_repositories:
      author: "Kevin O'Reilly"
      quality: 70
      branch: "master"
-     path: "data/yara"
    - name: "BinaryAlert"
      url: "https://github.com/airbnb/binaryalert/"
      author: "Airbnb"

diff --git a/yara-forge-custom-scoring.yml b/yara-forge-custom-scoring.yml
@@ -56,6 +56,17 @@ noisy-rules:
       quality: -50
     - name: "CAPE_Agentteslaxor"
       quality: -50
+    - name: "CAPE_UPX"
+      quality: -40
+      score: 30
+    - name: "CAPE_NSIS"
+      quality: -40
+      score: 30
+    - name: "CAPE_Syscall"
+      quality: -40
+      score: 30
+    - name: "CAPE_Sparkrat"
+      quality: -80
 
     # Elastic
     - name: "ELASTIC_Multi_EICAR_Ac8F42D6"
@@ -270,6 +281,9 @@ noisy-rules:
     - name: "MALPEDIA_Win_Unidentified_090_Auto"
       quality: -60
       score: 60
+    - name: "MALPEDIA_Win_Maze_Auto"  # $sequence_8 = { 41 41 41 41 41 41 41 }
+      quality: -100
+      score: 60
 
     # Signature Base
     - name: "SIGNATURE_BASE_Cobaltstrike_C2_Host_Indicator"
@@ -427,7 +441,7 @@ noisy-rules:
     # RussianPanda
     - name: "RUSSIANPANDA_Check_Installed_Software"
       quality: -50
-      score: 50
+      score: 45
 
     # ditekShen
     - name: "DITEKSHEN_INDICATOR_SUSPICIOUS_"