2.1.11. Yara engine

2.1.11.1. Introduction

2.1.11.1.1. For what types of threats is this engine designed?

The yara engine allows detection of malware using rules.

2.1.11.1.2. How does this particular engine detect threats?

When a file, rebuilt by GCap. is submitted to Yara engine, it is analyzed and compare with each of Yara rules.
Yara rules define a number of variables that contain patterns found in a malware sample.
When the Yara engine finds a match between the network stream analyzed and the definition of a rule then an alert is raised and classified as malware in the same way as for the Malcore engine.

2.1.11.1.3. How does Yara work in the GCenter?

The engine:

Analyses the events sent by GCap (for further details see Yara engine input data)
Analyses these events (for further details see How does this particular engine detect threats?)
Generates alerts (for further details see Events generated by the engine)

2.1.11.1.3.1. Yara engine input data

The network flow is duplicated on the network by a TAP and the files are rebuilt by the GCap.

The file reconstruction is configured by the file reconstruction rules used by the GCap detection engine (refer to Configuring the file reconstruction rules via the GCap profile).

Yara needs Yara rules to run.
These rules are defined in a specific ruleset.
This ruleset has to be downloaded via the `Yara engine` screen.

Note

For further information about the yara rules, see information on https://yara.readthedocs.io/en/stable/writingrules.html

To validate the rules, it is possible to use the validator (https://yaravalidator.manalyzer.org/).

To download an yara ruleset example, yara_ruleset_example.yara.

2.1.11.2. Events generated

2.1.11.2.1. Events generated by the engine

Events generated by the Malcore engine are alerts.
Events generated by the yara engine are included with the Malcore alerts.
These are displayed:

In the main interface named WEB UI of the GCenter in the `Alerts` screen:

The main interface named WEB UI is described in Overview of the WEB UI.

To view the alerts, select the `Malcore` engine filter.

See the presentation of the Web UI `Alerts`.

Click on the selected alert.

The `Alert details` window is displayed.

The following counters are displayed and give information on the alert category:

`total found:`

`threat:`
If the `total found:` is 0/16 and the `threat:` is Yara Rule Matched then the alert category is yara

Example of a yara alert:
Malcore summary
state: Yara Rule Matched
total found: 0/16
file description: Adobe Portable Document Format
threat: Yara Rule Matched
In this case, see the Analysing the Yara alerts.
If the `total found:` is different to 0/16 then the alert category is malcore

Example of a Malcore alert:
Malcore summary
state: Infected
total found: 1/16
file description
threat
Infected : pdf/malicious_confidence_100
In this case, the `total found` counter is different to 0/10, i.e at least one Malcore engine result is not CLEAN

In the Kibana UI interface
- To view only the Malcore alerts without the yara alerts:

2.1.11.3. Management of the engine

2.1.11.3.1. Viewing the engine status

The engine status is displayed in `Health checks` screen.

2.1.11.3.2. Engine update

The engine is updated with each new version of the GCenter.

2.1.11.3.3. Yara engine configuration

The management interface is used:

To active the engine
To load an yara ruleset

For more information on the procedure: see the Setting up the Yara engine.

The management interface is described in `Yara engine` screen.

2.1.11.4. Alert Analysis

The general procedure for analyzing alerts is described in Using of NDR dashboards.

The specific procedure for analyzing Yara alerts is described in the Analysing the Yara alerts.