Hello anybody,
I want to configure YARA signatures for simple PDF detections in my lab environment (R81.10 GW and SMS) using sk123156.
As said in sk I enabled feature:
tecli advanced yara set status 1
Created simple yar rule in $FWDIR/conf/yara/custom_rules/:
rule PDF_detect
{
meta:
Description = "Detect pdf document YARA"
protectionTypes = "classification"
strings:
$str = {25504446}
condition:
$str at 0x00
}
Compile yar rule and in logs I see nothing when I try to download pdf files.
Also in sk mentioned: "you should see this rule in every malicious file report".
I tried create malicious pdf file with reverse tcp in kali linux using "setoolkit" utility, temporary placed evil pdf in some cloud share service, than download from link using PC behind GW.
After this actions in logs I see some Detects with Prevent reaction, but for IPS, not Threat Emulation:
I tried to disable IPS blade at all so that only Threat Emulation was enabled, but in logs I seen same Prevent with IPS..
Could anybody explain me how should yara work?
Which report should display yara match's?
Thank you in advance!