YARA Rules
YARA is a pattern matching engine for malware detection. It can be applied for files as well as downloaders. The YARA Rules page allows you to upload your own YARA rules.
In v4.4.0, FortiSandbox upgraded Yara Engine to v4.2.3. The rules must be compatible with the 4.x.x schema and put inside ASCII text files. |
For more information about writing YARA rules, see the product documentation. There are known issues for Yara Engine v4.2.3, see the issue report community.
FortiSandbox supports following Yara modules:
Cuckoo, Magic, Dotnet, PE, ELF, Hash, Math, Time, Console and String. For information about YARA modules, see the production documentation.
The following options are available:
Import |
Select to import a YARA rule file. You can apply one YARA rule to multiple file types. |
Edit |
Select to edit a YARA rule file. You can apply one YARA rule to multiple file types. |
Delete |
Select to delete a YARA rule file. |
Change Status |
Select to change the status (Active or Inactive) of a YARA rule. |
Export |
Select to export a YARA rule file. |
The following information is displayed:
Name |
The name of the YARA rule set. |
File Type |
The file types the YARA rule is applied to. |
Modify Time |
The date and time the YARA rule set was last modified. |
Size |
The size of the YARA rule file. |
Sha256 |
The Sha256 checksum of the YARA rule file. |
Status |
The current status (Active or Inactive) of the YARA rule set. |
Format guidelines for regular YARA Rules:
- Rule file must be in plain text format
- Rule file can contain many rules
- Rule name must be unique
- Rule should be in the following format:
rule ExampleRule Name xxx { strings: $my_text_string = "XXXXX" $my_hex_string = { XXXXXX } condition: $my_text_string or $my_hex_string }
For more information about writing YARA rules, see the product documentation.
To upload YARA Rule File:
- Go to Scan Policy and Object > YARA Rules.
- Select Import.
- Configure the following settings:
YARA Rule Name
Enter a name for the YARA rule set.
Default Description
Enter a description of the YARA rule set.
Rules Risk Level
Select a rule risk level between 1-10.
- 0-1: Clean
- 2-4: Low Risk
- 5-7: Medium Risk
- 8-10: High Risk
All the YARA rules inside the YARA rule file will share the same risk level.
File Type
Select file types to scan against uploaded YARA rules. One YARA rule file can be applied to multiple file types.
YARA Rule File
Choose a text file containing YARA rules.
- Select OK to import rules.
- After a YARA Rule file is imported, you can select the Activate/Deactivate icon to enable/disable the YARA rule set.
If a file hits multiple rules, a complicated algorithm is used to calculate the final rating of the file. For example, if a file hits more than one Low Risk YARA rules, the file's verdict can be higher than the Low Risk rating. |
To edit a YARA Rule set:
- Go to Scan Policy and Object > YARA Rules.
- Select a YARA Rule.
- Click the Edit button from the toolbar.
- Configure the following options:
ID
YARA ID number. You cannot edit this field.
Yara Rule Name
Enter a name for the YARA rule set.
Default Description
Enter a description of the YARA rule set.
Rules Risk Level
Select a rule risk level between 1-10.
- 0-1: Clean
- 2-4: Low Risk
- 5-7: Medium Risk
- 8-10: High Risk
All the YARA rules inside the YARA rule file will share the same risk level.
File Type
Select file types to scan against uploaded YARA rules. One YARA rule file can be applied to multiple file types.
YARA Rule File
Choose a text file containing YARA rules.
- Click OK to apply changes.
To delete a YARA rule set:
- Go to Scan Policy and Object > YARA Rules.
- Select a YARA Rule set.
- Click Delete from the toolbar.
- Click Yes I'm sure button from the Are you sure? confirmation box.
To change the status of a YARA rule set:
- Go to Scan Policy and Object > YARA Rules.
- Select a YARA Rule set.
- Click Change Status. The status of the selected YARA rule will switch to Active or Inactive depending on its previous status.
Regular YARA rule is applied in both the Static Scan stage and VM Engine scan stage. During the VM Engine scan stage, if any dump file hits the regular YARA rule, the Indicators section will show the User-defined YARA with the YARA rule name.
To import a process memory YARA Rule:
A process memory YARA Rule differs slightly from other YARA rules. It is used by the VM Engine and is only applied in the VM Engine scan stage whereas a regular YARA rule is applied in both the Static Scan stage and VM Engine scan stage.
- Go to Scan Policy and Object > YARA Rules.
- Click the Import button.
- Input a YARA rule name in the Yara Rule Name field.
- Add a description for the YARA Rule if there is no corresponding field contained in the rule's meta section.
- In the Apply On: field, click Process Memory. The Rules Risk Level field will be hidden upon click because it is not required for Process Memory.
- Click Upload YARA File and select the YARA Rule file.
- Click OK.
To verify when a sample is detected by a process memory YARA rule:
If a sample is detected by a process memory YARA rule, FortiSandbox will show the following information in the FortiView job details:
- The Indicators section shows that the sample contains a suspicious pattern with the YARA rule name.
- The YARA rule and rating are displayed as Behaviors.
If a sample is detected by multiple process memory YARA rules,FortiSandbox shows all hits and takes the highest scoring YARA rule as the final scan score if no other suspicious behavior is detected.
Format guidelines for process memory YARA Rules:
- A rule file must be in plain text format
- A rule file can contain many rules
- A rule name must be unique
- A rule should be in the following format:
rule Andromeda29_Memory_Pattern
{
meta:
description = "Andromeda29"
impact = 8
condition:
...
}
description: description of the rule, it will show in the indicator if matched
impact: the impact level of the pattern, range: 0-10, 0-1:clean,2-4: Low Risk,5-7: Medium Risk,8-10:High Risk
To activate the process memory YARA Rule
- Select the YARA Rule in Scan Policy and Object > Yara Rules, then click Change Status to activate the YARA rule. Clicking the Change Status button again will toggle the Status between Active and Inactive.
To export a YARA rule:
- From Scan Policy and Object > Yara Rules, click Export to export this YARA rule in plain text format.