fix: unused selection and increase filename size

rules-emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_installer_cli_args.yml

@@ -12,7 +12,7 @@ logsource:
     category: process_creation
     product: windows
 detection:
-    selection_cli:
+    selection:
         # This CLI regex is based on the following description from the report:
         #   The jpsetup.exe installer requires two arguments to be passed via the command line for execution
         #   The first argument is a wide character string hashed with SHA-256 twice -> We assume that the first argument is of length SHA256

rules-emerging-threats/2023/Malware/SNAKE/proc_creation_win_malware_snake_installer_exec.yml

@@ -15,13 +15,16 @@ detection:
     Image|endswith:
         - '\jpsetup.exe'
         - '\jpinst.exe'
-    filter_main_cli:
+    filter_main_cli_name:
         CommandLine:
-            - ''
             - 'jpinst.exe'
             - 'jpinst'
             - 'jpsetup.exe'
             - 'jpsetup'
+    filter_main_cli_empty:
+        CommandLine: ''
+    filter_main_cli_null:
+        CommandLine: null
     condition: selection and not 1 of filter_main_*
 falsepositives:
     - Unlikely

tests/test_rules.py

@@ -756,7 +756,7 @@ def test_references_plural(self):
     def test_file_names(self):
         faulty_rules = []
         name_lst = []
-        filename_pattern = re.compile(r'[a-z0-9_]{10,80}\.yml')
+        filename_pattern = re.compile(r'[a-z0-9_]{10,90}\.yml')
         for file in self.yield_next_rule_file_path(self.path_to_rules):
             filename = os.path.basename(file)
             if filename in name_lst:
@@ -766,9 +766,9 @@ def test_file_names(self):
                 print(Fore.YELLOW +
                       "Rule {} has a invalid extension (.yml).".format(file))
                 faulty_rules.append(file)
-            elif len(filename) > 74:
+            elif len(filename) > 90:
                 print(Fore.YELLOW +
-                      "Rule {} has a file name too long >70.".format(file))
+                      "Rule {} has a file name too long >90.".format(file))
                 faulty_rules.append(file)
             elif len(filename) < 14:
                 print(Fore.YELLOW +
@@ -922,7 +922,7 @@ def test_file_names(self):
             name_lst.append(filename)
 
         self.assertEqual(faulty_rules, [], Fore.RED +
-                         r'There are rules with malformed file names (too short, too long, uppercase letters, a minus sign etc.). Please see the file names used in our repository and adjust your file names accordingly. The pattern for a valid file name is \'[a-z0-9_]{10,70}\.yml\' and it has to contain at least an underline character. It also has to follow the following naming convention https://github.com/SigmaHQ/sigma-specification/blob/main/sigmahq/Sigmahq_filename_rule.md')
+                         r'There are rules with malformed file names (too short, too long, uppercase letters, a minus sign etc.). Please see the file names used in our repository and adjust your file names accordingly. The pattern for a valid file name is \'[a-z0-9_]{10,80}\.yml\' and it has to contain at least an underline character. It also has to follow the following naming convention https://github.com/SigmaHQ/sigma-specification/blob/main/sigmahq/Sigmahq_filename_rule.md')
 
     def test_title(self):
         faulty_rules = []