Add false-positive flag to YARA test sample hashes

adulau · adulau · commit cc0943360326 · 2026-04-11T10:43:44.000+02:00
diff --git a/objects/yara/definition.json b/objects/yara/definition.json
@@ -17,11 +17,50 @@
       ],
       "ui-priority": 0
     },
+    "false-positive": {
+      "description": "Set to true if the related test sample is a false-positive hit for this YARA rule. If omitted, samples are treated as true-positive by default.",
+      "disable_correlation": true,
+      "misp-attribute": "boolean",
+      "sane_default": [
+        "false"
+      ],
+      "ui-priority": 0
+    },
+    "md5": {
+      "description": "MD5 hash of a file observed when testing the YARA rule (true positives or false positives).",
+      "misp-attribute": "md5",
+      "ui-priority": 0
+    },
     "reference": {
       "description": "Reference or origin of the YARA rule.",
       "misp-attribute": "link",
       "ui-priority": 0
     },
+    "sha1": {
+      "description": "SHA1 hash of a file observed when testing the YARA rule (true positives or false positives).",
+      "misp-attribute": "sha1",
+      "ui-priority": 0
+    },
+    "sha256": {
+      "description": "SHA256 hash of a file observed when testing the YARA rule (true positives or false positives).",
+      "misp-attribute": "sha256",
+      "ui-priority": 0
+    },
+    "sha512": {
+      "description": "SHA512 hash of a file observed when testing the YARA rule (true positives or false positives).",
+      "misp-attribute": "sha512",
+      "ui-priority": 0
+    },
+    "ssdeep": {
+      "description": "SSDEEP hash of a file observed when testing the YARA rule (true positives or false positives).",
+      "misp-attribute": "ssdeep",
+      "ui-priority": 0
+    },
+    "tlsh": {
+      "description": "TLSH hash of a file observed when testing the YARA rule (true positives or false positives).",
+      "misp-attribute": "tlsh",
+      "ui-priority": 0
+    },
     "version": {
       "description": "Version of the YARA rule depending where the yara rule is known to work as expected.",
       "disable_correlation": true,
@@ -42,13 +81,13 @@
       "ui-priority": 1
     }
   },
-  "description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
+  "description": "An object describing a YARA rule (or a YARA rule name), its supported YARA version, and optional test-sample hashes. Test samples are true-positive by default; set false-positive=true when needed.",
   "meta-category": "misc",
   "name": "yara",
   "requiredOneOf": [
     "yara",
     "yara-rule-name"
   ],
   "uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
-  "version": 7
-}
+  "version": 9
+}
