Skip to main content

Hello guys,

Let's say I have a YARA-L rule I want to tune. I have a host-based whitelist and a username-based whitelist. I don't want any alert if the user in the log is in the username-based whitelist or if the host in the log is in the host-based whitelist.

There are two ways of writing it in the events section :

[...previous detection logic...]
not $e.principal.hostname in %whitelist_hostname
not $e.principal.user.user_id in %whitelist_username

vs.

[...previous detection logic...]
not (
    $e.principal.hostname in %whitelist_hostname
    or $e.principal.user.user_id in %whitelist_username
)

Which one is the best way, in consideration of rule execution performance, to implement this logic in YARA-L ?

Hey Chrisd2, 


I’d put them both in the same rule.  Comment out the lines for one retro hunt and then comment out the other lines for another retro hunt run.  



I’d time both.   They both still have to check against the ref lists in play here.  



However, I don’t believe you will see any difference in performance.  

Let me know if you find some anomaly here. Thanks! 

I'll check this week and add a comment here !

Do you know if there are any built-in tools to measure rule execution time ?

When the SIEM throttles the execution frequency for a rule, iirc a JSON element is logged and accessible through the ruleExecutionError API endpoint, but that's the only "tool" I know.

Chrisd2


I have not tried this but the Rules do support the use of the function, timestamp.current_seconds(). You could capture this value before and after the white list is referenced into two variables and then assign a third variable the difference between the two. Do this for both types of checking and run it over time to see if the results are consistently significant. If you wanted to format the unix integer , you could try using the function timestamp.get_timestamp.


References


Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.