I run several rulesets using the VirusTotal "hunting" feature and I use private YARA rules to filter out false positives. For example:
private rule isDex
{
meta:
description = "To filter out DEX files that fire many FPs"
strings:
$magicbytes = {64 65 78 0A}
condition:
$magicbytes at 0
}
I refer to this rule with a not statement in another rule. This works as intended, I no longer get alerted on DEX files containing the strings I match on.
But another rule, that I refer to using the and statement, is being ignored. I also wrote another ruleset using that rule and I get the same results - the private rule is ignored and I am alerted on files matching the $a string, but not satisfying the isClassified rule
global private rule isClassified
{
meta:
description = "to detect files with classification label"
strings:
$p1 = "internal only" ascii wide nocase fullword
$p2 = "confidential" ascii wide nocase fullword
$p3 = "private" ascii wide nocase fullword
$p4 = "secret" ascii wide nocase fullword
condition:
any of them
}
rule DLFakeCompanyName
{
meta:
date = "2017-02-20"
state = "edited 2x, testing"
//to do: check for datasize, file format, keywords
strings:
$a = "fakecompanyname" nocase ascii wide fullword
condition:
any of them
}
I tried both options, global private and just private, no difference. VT detects no syntax errors in neither of the rulesets. I have never encountered this problem before, and that's why it confuses me - some private rules are accepted but others are ignored.
Is this an issue with VirusTotal (that's the only place where I use YARA rules) itself? Or am I missing something while writing the rules?
