YARA-L known issues and limitations

This document describes the known issues and limitations in YARA-L.

Outcome aggregations with repeated field unnesting

When a rule refers to a repeated field on an event variable and that repeated field contains more than one element, each element is unnested into a separate event row.

For example, the two IP address strings in the repeated field target.ip on event $e in the following rule are unnested into two instances of event $e, each with a different target.ip element.

rule outbound_ip_per_app {
  meta:
  events:
    $e.principal.application = $app
  match:
    $app over 10m
  outcome:
    $outbound_ip_count = count($e.target.ip) // yields 2.
  condition:
    $e
}

Event record before repeated field unnesting

The following table shows the event record before repeated field unnesting:

Event records after repeated field unnesting

The following table shows the event record after repeated field unnesting:

When a rule refers to a repeated field that is a child of another repeated field like security_results.action, unnesting happens at both the parent field level and child field level. The resulting set of instances unnest from a single event is the Cartesian product of elements in the parent field and elements in the child field. In the following example rule, event $e with two repeated values on security_results and two repeated values on security_results.actions are unnested into four instances.

rule security_action_per_app {
  meta:
  events:
    $e.principal.application = $app
  match:
    $app over 10m
  outcome:
    $security_action_count = count($e.security_results.actions) // yields 4.
  condition:
    $e
}

Event record before repeated field unnesting

The following table shows the event record before repeated field unnesting:

Event records after repeated field unnesting

The following table shows the event record after repeated field unnesting:

This unnesting behavior in rule evaluation can produce unexpected outcome aggregations when the rule references one or more repeated fields with a parent field that is also a repeated field. Non-distinct aggregations like sum(), array(), and count() cannot account for duplicate values on other fields on the same event produced by the unnesting behavior. In the following example rule, event $e has a single hostname google.com, but the outcome hostnames aggregates over unnested four instances of the same event $e, each with a duplicate principal.hostname value. This outcome yields four hostnames instead of one due to the unnesting of repeated values on security_results.actions.

rule security_action_per_app {
  meta:
  events:
    $e.principal.application = $app
  match:
    $app over 10m
  outcome:
    $hostnames = array($e.principal.hostname) // yields 4.
    $security_action_count = count($e.security_results.action) // yields 4.
  condition:
    $e
}

Event record before repeated field unnesting

The following table shows the event record before repeated field unnesting:

Event record after repeated field unnesting

The following table shows the event record after repeated field unnesting:

Workaround

Aggregations that ignore duplicate values or eliminate duplicate values are not affected by this unnesting behavior. Use the distinct version of an aggregation if you're encountering unexpected outcome values due to unnesting.

The following aggregations are not affected by the unnesting behavior described previously.

• max()
• min()
• array_distinct()
• count_distinct()

Outcome aggregations with multiple event variables

If a rule contains multiple event variables, there is a separate item in the aggregation for each combination of events that is included in the detection. For example, if the following example rule is run against the listed events:

events:
  $e1.field = $e2.field
  $e2.somefield = $ph

match:
  $ph over 1h

outcome:
   $some_outcome = sum(if($e1.otherfield = "value", 1, 0))

condition:
  $e1 and $e2

event1:
  // UDM event 1
  field="a"
  somefield="d"

event2:
  // UDM event 2
  field="b"
  somefield="d"

event3:
  // UDM event 3
  field="c"
  somefield="d"

The sum is calculated over every combination of events, enabling you to use both event variables in the outcome value calculations. The following elements are used in the calculation:

1: $e1 = event1, $e2 = event2
2: $e1 = event1, $e2 = event3
3: $e1 = event2, $e2 = event1
4: $e1 = event2, $e2 = event3
5: $e1 = event3, $e2 = event1
5: $e1 = event3, $e2 = event2

This results in a potential maximum sum of 6, even though $e2 can only correspond to 3 distinct events.

This affects sum, count, and array. For count and array, using count_distinct or array_distinct can solve the issue, but there is currently no workaround for sum.

Parentheses at the start of an expression

Using parentheses at the start of an expression triggers the following error:

parsing: error with token: ")"
invalid operator in events predicate

The following example would generate this type of error:

($event.metadata.ingested_timestamp.seconds -
$event.metadata.event_timestamp.seconds) / 3600 > 1

The following syntax variations return the same result, but with valid syntax:

$event.metadata.ingested_timestamp.seconds / 3600 -
$event.metadata.event_timestamp.seconds / 3600 > 1
    1 / 3600 * ($event.metadata.ingested_timestamp.seconds -
$event.metadata.event_timestamp.seconds) > 1
    1 < ($event.metadata.ingested_timestamp.seconds -
$event.metadata.event_timestamp.seconds) / 3600

Index array in outcome requires aggregation for single values on repeated field

Array indexing in the outcome section still requires aggregation. For example, the following does not work:

outcome:
  $principal_user_dept = $suspicious.principal.user.department[0]

However, you can save the output of the array index in a placeholder variable and use that variable in the outcome section as shown here:

events:
  $principal_user_dept = $suspicious.principal.user.department[0]

outcome:
  $principal_user_department = $principal_user_dept

OR condition with non-existence

If an OR condition is applied between two separate event variables and if the rule matches on non-existence, the rule successfully compiles, but can produce false positive detections. For example, the following rule syntax can match events having $event_a.field = "something" even though it shouldn't.

events:
     not ($event_a.field = "something" **or** $event_b.field = "something")
condition:
     $event_a and #event_b >= 0

The workaround is to separate the conditions into two blocks where each block only applies the filter to a single variable as shown here:

events:
     not ($event_a.field = "something")
     not ($event_b.field = "something")
condition:
     $event_a and #event_b >= 0

Arithmetic with unsigned event fields

If you try to use an integer constant in an arithmetic operation with a UDM field whose type is an unsigned integer, you will get an error. For example:

events:
  $total_bytes = $e.network.received_bytes * 2

The field udm.network.received_bytes is an unsigned integer. This happens due to integer constants defaulting to signed integers, which don't work with unsigned integers in arithmetic operations.

The workaround is to force the integer constant to a float which will then work with the unsigned integer. For example:

events:
  $total_bytes = $e.network.received_bytes * (2/1)