Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Herman
Contributor

Yara signatures usage

Hello anybody,

I want to configure YARA signatures for simple PDF detections in my lab environment (R81.10 GW and SMS) using sk123156.
As said in sk I enabled feature: 

tecli advanced yara set status 1


Created simple yar rule in $FWDIR/conf/yara/custom_rules/:

rule PDF_detect
{
meta:
    Description = "Detect pdf document YARA"
    protectionTypes = "classification"
strings:
    $str = {25504446}
condition:
    $str at 0x00
}

Compile yar rule and in logs I see nothing when I try to download pdf files.
Also in sk mentioned: "you should see this rule in every malicious file report".

I tried create malicious pdf file with reverse tcp in kali linux using "setoolkit" utility, temporary placed evil pdf in some cloud share service, than download from link using PC behind GW.
After this actions in logs I see some Detects with Prevent reaction, but for IPS, not Threat Emulation:

logs.png

I tried to disable IPS blade at all so that only Threat Emulation was enabled, but in logs I seen same Prevent with IPS..

Could anybody explain me how should yara work?
Which report should display yara match's?

Thank you in advance!

5 Replies
PhoneBoy
Admin
Admin

I believe Yara rules are ultimately translated to IPS signatures.
The fact it works even with IPS disabled is a result of IPS and Threat Emulation leveraging similar infrastructure.
Disabling IPS only disables our native IPS signatures and possibly ones imported from snort.
it doesn't disable the underlying infrastructure unless no other blade that uses it is active.

0 Kudos
Herman
Contributor

Thank you for reply 👍
I will be grateful if you clarify additional details, as I understood yara rules will only work for malicious files, is that correct?
And can we see yara that has been translated to IPS in related IPS logs?
Just I don't see any mention of my yara rule for intercepted PDFs in logs, below log example:
ips.jpg

0 Kudos
PhoneBoy
Admin
Admin

This log card says this transaction was blocked by a regular IPS signature versus your Yara rule.
Did you do this with IPS turned off and the policy pushed?

0 Kudos
Herman
Contributor

After another push policies in logs detect with Threat Emulation, but same result with nothing mention about Yara rule.
A few screenshots:
basicInf.jpg
telog.jpg

P.s. Now I noticed that the time on SMS differs from the gateway for some reason .. therefore the correct log time is + 10 minutes (I looked at the wrong field in log, not matter)

0 Kudos
PhoneBoy
Admin
Admin

Right, but at least it shows its using Threat Emulation to block the file instead of IPS.
If the file were emulated, it would show the emulation report in the log card.
My guess is this is expected behavior, but I'll see if I can clarify that.

0 Kudos