Observation: Inconsistent and overlapping YARA meta field usage #74
Description
While analyzing yara-forge rules from a tooling / automation perspective, I noticed that meta fields are highly inconsistent across the repository.
Some observations:
- Case differences: Author vs author, TLP vs tlp
- Overlapping semantics: Description / description / descripton
- Hash-related fields: hash1…hash31, md5_1, SHA256_1, hash1_sha256, etc.
As a result, it’s difficult to reliably consume meta information in automated pipelines (validation, packaging, enrichment).
Observations
Source:
- Artifact: yara-forge-rules-full.zip
- SHA256: db896311f7febe2014bd3a7253156adf9785fef8c99d2a361d220d6fc36e2570
The purpose of this issue is to document the current state of meta field usage across the repository and to provide a concrete, reproducible reference.
The collected meta keys show a wide range of variation, including:
- Differences in letter casing (e.g. Author vs author, TLP vs tlp)
- Mixed naming conventions (camelCase, snake_case, capitalized, ad-hoc)
- Overlapping or duplicated semantics (e.g. description, detection name, version)
- A large number of hash-related fields using indexed or custom naming patterns
{'Author',
'Confidence',
'Contact',
'DaysofYARA',
'Description',
'DetectionName',
'Hash1',
'Hash2',
'Hash3',
'Hash4',
'Info',
'License',
'MD5_1',
'MD5_2',
'MD5_3',
'MD5_4',
'MD5_5',
'Priority',
'Rule_Version',
'SHA256_1',
'SHA256_2',
'TLP',
'Version',
'Versions',
'activity_group',
'actor',
'actor_group',
'actor_type',
'adversary',
'affected_versions',
'arch_context',
'assoc_report',
'author',
'cape_options',
'cape_type',
'category',
'clamav',
'clamav1',
'clamav2',
'clamav_sig',
'clamav_sig1',
'clamav_sig2',
'clamav_sig3',
'classification',
'cnc_domain',
'cnc_ip',
'comment',
'company',
'confidence',
'confidential',
'contact',
'context',
'date',
'date_modified',
'description',
'descripton',
'detection_name',
'disclaimer',
'exemplar_hashes',
'exploit',
'family',
'filetype',
'hash',
'hash0',
'hash1',
'hash10',
'hash11',
'hash12',
'hash13',
'hash14',
'hash15',
'hash16',
'hash17',
'hash18',
'hash19',
'hash1_md5',
'hash1_sha1',
'hash1_sha256',
'hash1_upx',
'hash2',
'hash20',
'hash21',
'hash22',
'hash23',
'hash24',
'hash25',
'hash26',
'hash27',
'hash28',
'hash29',
'hash2_md5',
'hash2_sha1',
'hash2_sha256',
'hash3',
'hash30',
'hash31',
'hash4',
'hash5',
'hash6',
'hash7',
'hash8',
'hash9',
'hash_1',
'hash_2',
'hash_3',
'hash_4',
'hash_5',
'hash_6',
'hash_7',
'hash_8',
'hash_9',
'hash_exe1',
'hash_exe2',
'hash_iso1',
'hash_iso2',
'hash_packed',
'hash_unpacked',
'hasha',
'hashb',
'hashc',
'hashs',
'id',
'importance',
'in_memory',
'incident',
'level',
'license',
'license_url',
'limit',
'logic_hash',
'malfamily',
'malpedia_family',
'malpedia_hash',
'malpedia_license',
'malpedia_rule_date',
'malpedia_sharing',
'malpedia_version',
'maltype',
'malware',
'malware_family',
'malware_type',
'md5_1',
'md5_2',
'md5_3',
'md5_4',
'md5_5',
'md5_6',
'memory_suitable',
'mitigation0',
'mitigation1',
'mitre_attack',
'modification_date',
'modified',
'name',
'noarchivescan',
'nodeepdive',
'note',
'old_rule_name',
'operation',
'orig_id',
'original_filename',
'oriority',
'os',
'os_arch',
'packed',
'pap',
'parent_hash',
'quality',
'reason',
'reference',
'reference1',
'reference_1',
'reference_2',
'reliability',
'report1',
'report2',
'rev',
'rs2',
'rule_id',
'rule_matching_tlp',
'rule_sharing_tlp',
'rule_type',
'rule_usage',
'rule_version',
'sample_filtype',
'sample_md5',
'sample_sha1',
'scan_context',
'score',
'severity',
'sha2',
'sharing',
'signator_config',
'snort',
'snort2_sid',
'snort3_sid',
'snort_sid',
'source_url',
'status',
'super_rule',
'tags',
'tc_detection_factor',
'tc_detection_name',
'tc_detection_type',
'threat_level',
'threat_name',
'thumbprint',
'thumbprint1',
'thumbprint2',
'thumbprint3',
'thumbprint4',
'tlp',
'tool',
'tool_author',
'true_positive',
'type',
'unpacked',
'unpacked_sample_sha1',
'vendor',
'ver',
'version',
'victims',
'vuln_impact',
'vuln_type',
'weaponization',
'weight',
'xor_s1',
'xor_s2',
'xor_s3',
'yara_version',
'yaraexchange',
'yarahub_reference_md5',
'yarahub_uuid'}