Skip to main content

Hi!

I want to generate a rule that looks for the value of 'target.ip' field in a reference list.

I have 3 reference lists:

customer1_public_IPs
customer2_public_IPs
customer3_public_IPs


In my events, in the 'target.namespace' field comes the value of the customer (customer1 or customer2 or customer3).

What I want to achieve in my rule is that depending on the value that the event has in the 'target.namespace field', one list or another is consulted.

Something like the following:
$e.target.ip in %($e.target.namespace)_public_IPs

but that doesn't work.

The idea is to parameterize the query to the list and not to have to put a line for each customer because if in the future there are many more, it would not compensate to have to generate a line for each one of them.


What would be the right way to do it?

 

Thanks in advance.

Unfortunately YARA-L doesn't have a method to parameterize that reference list name.   The 2 basic options for working around this are:
1: Separate lists per customer - In addition to the issues of adding new lines per customer that you have already brought up, that technique can only be expanded to 7 customers due to the maximum number of references lists in a rule (ref: https://cloud.google.com/chronicle/docs/detection/yara-l-2-0-syntax#reference_lists_syntax)

2: Use strings.concat to work with a single reference list as a multi column CSV - This only works with the string list type but would allow you to maintain a single reference list formatted like this


customer1|10.0.0.1
customer2|192.168.1.100
customer3|172.16.1.1


And match against it with yara-l like this:



$CustomerTargetIP = strings.concat($e.target.namespace,"|",$e.target.ip)

$CustomerTargetIP in %Customer_IPs

Your response has been very helpful.

Thank you Jeremy.

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.