Implement Custom YARA Content

In addition to the built-in indicators of compromise, Malware Analysis supports indicators of compromise written in YARA. YARA is a rule language that allows malware researchers to identify and classify malware samples. It makes built-in YARA-based Indicators of Compromise (IOCs) available in Live; these are automatically downloaded and activated on subscribed hosts.

Customers with advanced skills and knowledge can add detection capabilities to Malware Analysis by authoring YARA rules and publishing them in Live or placing YARA rules in a watched folder for the host to consume.

As malware and the threat landscape evolve, it is important to review and examine existing custom rules. Updates are often necessary to incorporate new detection methods. It also updates YARA rules in Live from time to time. To receive updates, you can subscribe to the Blog and Live at http://blogs.rsa.com/feed.

This document provides information to help customers implement custom YARA rules in Malware Analysis.

Prerequisites

The host on which you are adding custom rules must be configured to support authoring of YARA rules as described in "Enable Custom YARA Content" in the Malware Analysis Configuration Guide.

YARA Version and Resources

Malware Analysis is packaged with YARA version 1.7 (rev:167). To find out the exact version, you can run yara -v on the Malware Analysis host as shown in this example:

[root@TESTHOST yara] # yara -v
yara 1.7 (rev:167)

Meta Keys in YARA Rules

Malware Analysis is compliant with other sources of YARA rules, and it also consumes additional meta keys that are specific to Malware Analysis. Each YARA rule is equivalent to an Indicator of Compromise (IOC) within Malware Analysis. The example below illustrates the meta definitions in a rule:
meta:
iocName = "FW.ecodedGenericCLSID"
fileType = "WINDOWS_PE"
score = 25
ceiling = 100
highConfidence = false

Meta Key Description
iocName (Required) This is the name that MA uses as the rule name. It is specific to Malware Analysis and is required to add the rule to the IOC list.
fileType Specifies the files type. Possible values are: WINDOWS_PE, MS_OFFICE, and PDF. If not specified, the default value is WINDOWS_PE.
score This value that is added to the static score if the YARA rule is triggered. If not specified, the default value is 10.
ceiling This is the maximum amount that is added to the static scores when a rule is triggered multiple times in one session. For example, if each time a rule is triggered, 20 points are added to the static, and you do not want more that 40 points added when the rule is triggered more than two times, you can specify a ceiling of 40. If not specified, the default value is 100.
highConfidence This sets the High Confidence flag, which is set on IOCs when there are high confidence indicators that malware is present. If not specified, the default file value is false.

Note: Refer to the following URL for YARA resources: https://code.google.com/p/yara-project/downloads/list. NetWitness uses YARA 1.7, not YARA 2.0.

YARA Content

Live contains 3 sets of Yara rules:

  • PE Packers
  • PDF Artifacts
  • PE Artifacts

The following figure illustrates YARA content available as YARA rules in NetWitness Live.

122_LiveLU_1222.png

On the Malware Analysis host, the YARA rules reside in /var/lib/netwitness/malware-analytics-server/spectrum/yara, as shown in the example below.

[root@TESTHOST yara]# pwd
/var/lib/netwitness/malware-analytics-server/spectrum/yara
[root@TESTHOST yara]# ls *.yara
rsa_mw_pdf_artifacts.yara rsa_mw_pe_artifacts.yara rsa_mw_pe_packers.yara


The individual rules are listed as IOCs in the Malware Analysis Service Config view > Indicators of Compromise tab. To view them, use the Yara module as the filter. You can adjust the configuration of an individual in the same way that you configure other IOCs.

netwitness_yara_and_ioc.png

Add Custom YARA Rules

To introduce custom YARA rules from other sources:

  1. To ensure that the YARA rules follows the correct format and syntax, use the YARA command to compile the YARA rule as shown in the following example. If the rule compiles with no errors, this indicates that the YARA rule has the correct syntax.
    [root@TESTHOST yara]# yara rsa_mw_pe_packers.yara dummy.txt
    [root@TESTHOST yara]#
  2. Ensure that custom rules do not duplicate existing YARA rules from other sources. All YARA rules are in /var/lib/netwitness/malware-analytics-server/spectrum/yara
  3. Ensure that the meta keys supports are included to organize the YARA rules as part of the configurable IOCs, and name the file with the yara extension (<filename>.yara). For better organization, make sure that the iocName meta is included in the meta section as shown in the following example.

    Example:
    rule HEX_EXAMPLE
    {
    meta:
    author = "RSA"
    info = "HEX Detection"
    iocName = "Hex Example"
    strings:
    $hex1 = { E2 34 A1 C8 23 FB }
    $wide_string = "Ausov" wide ascii
    condition:
    $hex1 or $wide_string
    }
  4. When ready, place the custom YARA file in the folder that the Malware Analysis service watches:
    /var/lib/netwitness/malware-analytics-server/spectrum/yara/watch
    The file is consumed within one minute.
    Once consumed, NetWitness moves the file to the processed folder, and the new rule is added to the Malware Analysis Services Config view > Indicators of Compromise tab.

Note: If you fail in adding the custom YARA rule, after step 4, do the following:
1. Check the custom YARA file is in /var/lib/netwitness/malware-analytics-server/spectrum/yara/watch/error.
2. Check the logs /var/lib/netwitness/malware-analytics-server/spectrum/logs/spectrum.log.