This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Herman
Contributor
‎2022-09-23 08:53 AM

Yara signatures usage

Hello anybody,

I want to configure YARA signatures for simple PDF detections in my lab environment (R81.10 GW and SMS) using sk123156.
As said in sk I enabled feature: 

tecli advanced yara set status 1


Created simple yar rule in $FWDIR/conf/yara/custom_rules/:

rule PDF_detect
{
meta:
    Description = "Detect pdf document YARA"
    protectionTypes = "classification"
strings:
    $str = {25504446}
condition:
    $str at 0x00
}

Compile yar rule and in logs I see nothing when I try to download pdf files.
Also in sk mentioned: "you should see this rule in every malicious file report".

I tried create malicious pdf file with reverse tcp in kali linux using "setoolkit" utility, temporary placed evil pdf in some cloud share service, than download from link using PC behind GW.
After this actions in logs I see some Detects with Prevent reaction, but for IPS, not Threat Emulation:

logs.png

I tried to disable IPS blade at all so that only Threat Emulation was enabled, but in logs I seen same Prevent with IPS..

Could anybody explain me how should yara work?
Which report should display yara match's?

Thank you in advance!

6 Replies
PhoneBoy
Admin
Admin
‎2022-09-23 10:18 AM

I believe Yara rules are ultimately translated to IPS signatures.
The fact it works even with IPS disabled is a result of IPS and Threat Emulation leveraging similar infrastructure.
Disabling IPS only disables our native IPS signatures and possibly ones imported from snort.
it doesn't disable the underlying infrastructure unless no other blade that uses it is active.

0 Kudos
Herman
Contributor
‎2022-09-23 11:43 AM
In response to PhoneBoy

Thank you for reply 👍
I will be grateful if you clarify additional details, as I understood yara rules will only work for malicious files, is that correct?
And can we see yara that has been translated to IPS in related IPS logs?
Just I don't see any mention of my yara rule for intercepted PDFs in logs, below log example:
ips.jpg

0 Kudos
PhoneBoy
Admin
Admin
‎2022-09-23 01:53 PM
In response to Herman

This log card says this transaction was blocked by a regular IPS signature versus your Yara rule.
Did you do this with IPS turned off and the policy pushed?

0 Kudos
Herman
Contributor
‎2022-09-24 01:02 AM
In response to PhoneBoy

After another push policies in logs detect with Threat Emulation, but same result with nothing mention about Yara rule.
A few screenshots:
basicInf.jpg
telog.jpg

P.s. Now I noticed that the time on SMS differs from the gateway for some reason .. therefore the correct log time is + 10 minutes (I looked at the wrong field in log, not matter)

0 Kudos
PhoneBoy
Admin
Admin
‎2022-09-25 02:28 PM
In response to Herman

Right, but at least it shows its using Threat Emulation to block the file instead of IPS.
If the file were emulated, it would show the emulation report in the log card.
My guess is this is expected behavior, but I'll see if I can clarify that.

0 Kudos
Herman
Contributor
‎2023-03-14 12:55 AM

It was necessary to change protectionType in rule to "black", after that it was working as I expected.
Also I just want to post here log example that describe yara match, maybe it will help someone:
yara.png

 
 

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events