One Article Review
| Source |  AlienVault Blog |
|---|---|
| Identifiant | 550047 |
| Date de publication | 2018-03-29 13:00:00 (vue: 2018-03-29 15:07:52) |
| Titre | YARA Rules for Finding and Analyzing in InfoSec |
| Texte |
Introduction
If you work in security anywhere, you do a lot searching, analyzing, and alerting. It’s the underpinning for almost any keyword you can use to describe the actions we take when working. The minute any equation I’m working on comes down to “finding” or “analyzing”, I know what to reach for and put to use. It’s YARA. The variables of the equation really don’t matter. A quick interrogation of a file to find out about its contents? Dig through source code to find a specific algorithm? Determining if something is malicious or safe to whitelist? YARA handles those use cases and plenty more. Really, it comes down to finding things. Finding fragments of what I’m looking for, whether I want to do so directly, by absence, via a pattern or through some form of calculus. YARA is my go-to.
Outlining what it can do at a high level is simple to express, but it’s unreasonable to expect that you are as familiar with YARA as I am. If you are up for a little exploration, dive into the details with me for a minute.
Delving into Details of Data
When it comes to finding, it’s a discussion of what “whole” thing am I looking for or what “fragment” of a whole am I look to find. In YARA-speak, that’s a detection or detection fragment. Just like bacon makes everything better, so do examples. As a detection, we are going to use “Alienvault”. It’s a recognizable term, after all, and one we want to find. However, perhaps it’s not exactly as we spelled it. To combat spelling, spacing and other issues, we can break the whole thing we are looking to find into detection fragments. Those might be “Alien” and “vault”. Written in a rule, that would look something like this:
rule at_whole_frag {
meta:
description = “simple detection and detection fragment logic”
strings:
$whole = “Alienvault”
$frag1 = “Alien”
$frag2 = “vault”
condition:
$whole or ($frag1 and $frag2)
}
The syntax and structure of YARA is pretty intuitive, so I’m going to skip going into full detail about it. I chatted about the basics of YARA previously on Alienvault and it’s a good primer to get started. Equally, you can jump into one of our classes and really get into the details. Regardless, you have to outline a name for your rule, in this case “an_whole_frag”, that identifies it. Then, you have three internal sections: “meta”, “strings”, and “condition” within a pair of curly brackets. The meta and string sections are handled like variable assignments. The condition section is written to return a Boolean value. If true, it will match, and if false, it will not. The normal code actions of concatenation, stemming, counting, comparison, and looping are allowed at the condition line.
What we did previously in the example was very simple, ASCII text detection. We can shift those detections to Unicode strings, remove issues with upper and lower case, or include negation logic at the condition line to look for the absence or negative space.
ru |
| Envoyé | Oui |
| Condensat | active algorithm analyzing another appetite apply are been bettering build but calculus can cases chain characteristics community conclusion creating define derived detection dig documentation don’t enhancing every example: example: execution file find finding form fragments from fun github hand handles has have helping hopefully i’ve identify imagination infosec instead invert isn’t isolate its know known laterally learn left lies likely limited list located logic matching more move much next not observation one only out packed packer packing pattern place point possible pretty problem problems program rapidly repository right robust rules share solution some step supporting suspects tackle take technique techniques test tests them then these thin true trying types unknown use utility very well where whetted which will yara your |
| Tags | |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.