[MDS] Management - Policy Settings (YARA Rules)
1. Summary
Set the policy to identify malware using malicious file or process signatures with YARA, Google’s open source tool aimed at helping malware researchers to identify and classify malware samples.
2. Menu tree
3. Contents
1) Add YARA Rule
YARA rule is based on strings and conditions used to match against rule names and signature patterns. There are three types of strings in YARA rule - hexadecimal strings, text strings and regular expressions. The condition section contains a boolean expression. The rule prototype is as below:
|
rule [YARA Rule Name] { strings: [Strings] condition: [Condition] } |
- Strings
-
Text string: ASCII encoded case-sensitive text enclosed in " ". (To turn your string into case-insensitive mode, use the nocase modifier.)
-
Hexadecimal string: Hexadecimal value enclosed in { }.
-
Regular expression: Regular expression enclosed in / /.
- condition
This section must contain a boolean expression. It can contain the following C language operators:
-
and, or, not, >=, <=, >, <, ==, !=, +, -, *, \, &, /, <<, >>, ~
To apply the same condition to multiple strings, use the following operators:
-
all of them: All strings
-
any of them: At least one string
-
all of ($a*): All strings starting with $a
-
any of ($a, $b, $c): Either $a, $b or $c
- Example of YARA Rule
|
rule yara001 // YARA Rule Name { meta: // YARA rule’s metadata. Does not affect signature pattern matching. version = "1.0" author = "author" description = "yara test" strings: $string1 = "shutdown -r -t 0" // String: Text $hex1 = { E2 00 [4-8] 34 FA} // String: Hexadecimal $re1 = /[0-9a-z]{24}/ // String: Regular expression condition: all of them // Condition: Apply to all strings } |
※ You can add up to 4,096 YARA rule files as maximum.
※ The file size must be 10MB or less.
※ To save all of the added files to your local PC, click Export and select Export all files.