[bugfix] rules without score not generating alerts#47
Open
ericzinnikas wants to merge 2 commits intocarbonblack:developfrom
Open
[bugfix] rules without score not generating alerts#47ericzinnikas wants to merge 2 commits intocarbonblack:developfrom
ericzinnikas wants to merge 2 commits intocarbonblack:developfrom
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Pull request checklist
Please check if your PR fulfills the following requirements:
Pull request type
Please check the type of change your PR introduces:
What is the ticket or issue number?
CB-41404Pull Request Description
Per this CB Knowledge Base article and what I'm assuming is the intent of the
get_high_scorefunction here:However, there is a bug in the
get_high_scorefunction. Sincematch.meta.get("score", 0)evaluates to0if "score" is unset in the rule, but "score" is set to-1before this loop, the condition will always evaluate to True. Thus, the following linematch.meta.get("score")sets score toNoneand thereturn 100line is unreachable.This has the effect of causing rules without a score set to not generate any alerts. It appears the bug was introduced in this change: 35afcac -- when the default score value was changed from
0to1, the condition was not updated along with it.While the README indicates: "Your rules must have meta section with a score = [1-10] tag to appropriately score matching binaries", this conflicts with the guidance given in the KB article, the (assumed) intent of the
get_high_scorefunction and the fact that CB seems to score alerts from 1-100 -- thus, I have updated the README as well.Does this introduce a breaking change?
How Has This Been Tested?
Buggy behavior confirmed locally with test yara rules (with and without
scorevalues). New mock test added to simulate a rule with an emptymetasection and thus no set "score" value. Have not yet been able to create manual rpm package to test this fix directly on a CB server.