Is it possible to use Arrays.contains with two variables in Yara-L?
Andrew Malone
Member
In the documentation it seems that the arrays.contains function can be used like the following,
arrays.contains($asset_id_list, "id_1234")
Is it possible to use the function with two variables so I can compare the list with a value in a UDM field?
The following code snippet shows a possible use case for this scenario:
rule Example_rule_for_arrays {
meta:
author = "amalone"
description = "Look for a spike in failed logins for a User account followed by a successful login from an IP address associated with a fail"
severity = "Low"
events:
$fail.metadata.event_type = "USER_LOGIN"
$fail.security_result.summary = /Failed/ nocase
$fail.target.user.userid = $user
$success.metadata.event_type = "USER_LOGIN"
$success.security_result.summary = /Success/ nocase
$success.target.user.userid = $user
$fail.metadata.event_timestamp.seconds <= $success.metadata.event_timestamp.seconds
match:
$user over 2d
outcome:
$Total_Fails = count($fail.target.user.userid) // count of total failed logins
$Failed_login_IPs_Count = count_distinct($fail.principal.ip) // Number of IPs with a failed login to the User
$Failed_login_IPs_List = array_distinct($fail.principal.ip) // Unique list of IPs with a failed login for the user
$Success_login_IPs_Count = count_distinct($success.principal.ip) // Number of IPs with a Successful login to the User
$Success_login_IPs_List = array_distinct($success.principal.ip) // Unique list of IPs with a Successful login for the user
condition:
// Look for at least 30 fails over 2 days from more than 3 IP addresses.
// QUESTION: Is there a way to say "The value of $success.principal.ip exists inside of $Failed_login_IPs_List"
// note: I don't want to match off of the IP as well as that will cut down on the number of failed login logs
//
// Want to do something like arrays.contains($Failed_login_IPs_List, $success.principal.ip) in the condition
$fail and $success and $Failed_login_IPs_Count > 3 and $Total_Fails > 30
}
Tagged:
0
Comments
what if you just tied them with the placeholders in the events? I used the hostname instead of IP because with DHCP the IP address would change in a two-day period in our environment. But you could use the IP instead. Then in my case, I went with hostnames and tried this with your rule logic.
I also changed mine to one hour just because I am playing with your rule in my environment.
And what are you using for log sources? We have crowdstrike so that is the source I am thinking with on this.
Thanks for the follow-up! By tying the hostnames together with $successfulhostname = $failedhostname it makes it so the rule is looking for a successful login and a failed login on the same host. Moving down to the condition statement $Failed_login_Host_count greater than 3 makes the rule logic mean the following if I am correct:
"Look for a single user where they have had a successful login and failed login on three separate devices over the course of an hour. In that same hour there should be 30 total fails across all hostnames"
This is a useful rule but logically is a bit different from what I'm looking for above. By joining the hosts together it makes it so the User has to have a success and a fail on all 3 different hosts. What I am looking for is the capability to check if a value exists within an array. The English version from my rule logic is:
"Look for a single user with more than 30 failed logons from 3 separate IPs where there is also a successful logon from at least one of the 3 IPs"
This leans on one of the IPs with a successful logon existing in the array of IPs with a fail. I don't think this is doable at the moment but something like arrays.contains($Failed_Login_Ips_List, $Success.Principal.IP) would meet the requirements.
I am only tying the successful host login event to be from a previous failed host login event.
The failed event has no tie to a successful event.
This is a multievent rule. Event 1 is the login failure from a host, Event 2 is a successful login from a previously Failed host.
We have mobile carts and devices that move around and can pull different IP's from DHCP. so for me, I need to work by hostname.
With running the rule I am seeing hits on the expected accounts in our environment. Our scanners and so forth.
Change my hostname to your IP and I think the logic would still hold.
The rule above is mainly an example in my case to try and show the functionality of looking for a UDM event inside of an array in the outcomes section. With how the rule is currently it requires a success and fail on each host. I'm wondering if it is possible to look through one of the arrays in the outcome section for a value that is inside of a UDM field. This would require calling the function with two variables as parameters which I'm not sure is allowed.
gotcha. Yea, I am not sure you can do it that way. maybe submit a feature request?
I guess mine would be a workaround,