yara object: add test-sample hash attributes and false-positive flag, bump version by adulau · Pull Request #513 · MISP/misp-objects

adulau · 2026-04-11T08:43:45Z

Enable recording of test-sample metadata (hashes) and explicit false-positive marking for YARA rules to improve rule testing and provenance.
Clarify object description to document that test samples are treated as true positives by default and to indicate supported YARA version.

Added a false-positive boolean attribute to mark test samples as false positives, with a sane default of false and disable_correlation enabled.
Added file-hash attributes md5, sha1, sha256, sha512, ssdeep, and tlsh for recording hashes observed while testing YARA rules.
Updated the top-level description to mention supported YARA version and optional test-sample hashes and bumped the object version from 7 to 9.
Minor metadata adjustments including ui-priority placements and ensuring newline at end of file.

Ran JSON/schema validation against objects/yara/definition.json and linting checks, which passed.
Executed the project's automated test suite/CI checks after the change, and they completed successfully.

Add false-positive flag to YARA test sample hashes

cc09433

adulau added the codex label Apr 11, 2026 — with ChatGPT Codex Connector

adulau merged commit af5a5f1 into main Apr 11, 2026
2 of 7 checks passed

adulau mentioned this pull request Apr 11, 2026

YARA object to include hashes of files that give both positive and negative results #156

Closed

Provide feedback