Detection rules triggering on internal IPs within 192.0.2.0/8 can cause false positives. Which YARA-L condition should you use to fix this?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $24.99Unlock all

Prepare for the Google SecOps Professional Engineer Test with our interactive quiz. Utilize flashcards and multiple-choice questions with hints and explanations to boost your readiness and confidence.

Multiple Choice

Detection rules triggering on internal IPs within 192.0.2.0/8 can cause false positives. Which YARA-L condition should you use to fix this?

Explanation:
To avoid false positives from internal addresses, your rule should fire only when none of the subject’s IPs fall into the internal CIDR. In YARA-L, net.ip_in_range_cidr with a quantifier tests whether IPs match a CIDR, and you can choose any or all to shape the check. Using not net.ip_in_range_cidr(any Se.principal.ip, "192.0.2.0/8") means: check if any of the subject’s IPs are in the 192.0.2.0/8 range, and then invert the result. If no IP is in that range, the condition passes; if any IP is internal, the condition fails. This properly excludes internal addresses and prevents those from triggering the rule. Why the other forms aren’t as suitable: requiring all IPs to be in the internal range would be overly strict and could miss cases where only some IPs are internal, still leading to false positives. Using the negation with any directly aligns with the goal of excluding rules that would fire when internal IPs are present, by ensuring none of the IPs belong to that internal block.

To avoid false positives from internal addresses, your rule should fire only when none of the subject’s IPs fall into the internal CIDR. In YARA-L, net.ip_in_range_cidr with a quantifier tests whether IPs match a CIDR, and you can choose any or all to shape the check.

Using not net.ip_in_range_cidr(any Se.principal.ip, "192.0.2.0/8") means: check if any of the subject’s IPs are in the 192.0.2.0/8 range, and then invert the result. If no IP is in that range, the condition passes; if any IP is internal, the condition fails. This properly excludes internal addresses and prevents those from triggering the rule.

Why the other forms aren’t as suitable: requiring all IPs to be in the internal range would be overly strict and could miss cases where only some IPs are internal, still leading to false positives. Using the negation with any directly aligns with the goal of excluding rules that would fire when internal IPs are present, by ensuring none of the IPs belong to that internal block.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy