YAIRA rules
Published attack-pattern definitions and their corpus coverage.
| Rule | Name | Severity | Action | Examples | |
|---|---|---|---|---|---|
AIRA-001 |
web_fetch then risky exec | high | block | 5 benign / 5 attack | View |
AIRA-002 |
web_fetch then write review | medium | review | 5 benign / 5 attack | View |
AIRA-010 |
pending shell exec | medium | review | 38 benign / 9 attack | View |
AIRA-020 |
exec curl or bash | high | block | 0 benign / 1 attack | View |
AIRA-030 |
write etc path | critical | block | 5 benign / 5 attack | View |
AIRA-031 |
web_fetch then sensitive write | critical | block | 5 benign / 5 attack | View |
AIRA-032 |
write ssh path | critical | block | 5 benign / 5 attack | View |
AIRA-040 |
web_search then write review | low | review | 7 benign / 7 attack | View |
AIRA-050 |
write agent context path review | medium | review | 5 benign / 5 attack | View |
AIRA-051 |
ingest then memory write review | medium | review | 5 benign / 5 attack | View |
AIRA-052 |
read secrets then outbound exec review | high | review | 6 benign / 5 attack | View |
AIRA-053 |
read secrets then outbound message review | high | review | 6 benign / 6 attack | View |
AIRA-054 |
exec supply chain install block | high | block | 0 benign / 3 attack | View |
AIRA-055 |
exec obfuscated remote shell block | high | block | 0 benign / 4 attack | View |
AIRA-056 |
search then memory write review | medium | review | 5 benign / 5 attack | View |
AIRA-057 |
read then memory write review | medium | review | 5 benign / 5 attack | View |
AIRA-058 |
web_fetch then exec (chain review) | medium | review | 5 benign / 5 attack | View |
AIRA-059 |
exec credential probe or process kill | high | review | 0 benign / 0 attack | View |