Fortinet white logo
Fortinet white logo

Administration Guide

YARA Rules

YARA Rules

YARA is a pattern matching engine for malware detection. It can be applied for files as well as downloaders. The YARA Rules page allows you to upload your own YARA rules.

Note

In v4.4.0, FortiSandbox upgraded Yara Engine to v4.2.3. The rules must be compatible with the 4.x.x schema and put inside ASCII text files.

For more information about writing YARA rules, see the product documentation. There are known issues for Yara Engine v4.2.3, see the issue report community.

FortiSandbox supports following Yara modules:

Cuckoo, Magic, Dotnet, PE, ELF, Hash, Math, Time, Console and String. For information about YARA modules, see the production documentation.

The following options are available:

Import

Select to import a YARA rule file. You can apply one YARA rule to multiple file types.

Edit

Select to edit a YARA rule file. You can apply one YARA rule to multiple file types.

Delete

Select to delete a YARA rule file.

Change Status

Select to change the status (Active or Inactive) of a YARA rule.

Export

Select to export a YARA rule file.

The following information is displayed:

Name

The name of the YARA rule set.

File Type

The file types the YARA rule is applied to.

Modify Time

The date and time the YARA rule set was last modified.

Size

The size of the YARA rule file.

Sha256

The Sha256 checksum of the YARA rule file.

Status

The current status (Active or Inactive) of the YARA rule set.

Format guidelines for regular YARA Rules:

  • Rule file must be in plain text format
  • Rule file can contain many rules
  • Rule name must be unique
  • Rule should be in the following format:

    rule ExampleRule Name xxx { strings: $my_text_string = "XXXXX" $my_hex_string = { XXXXXX } condition: $my_text_string or $my_hex_string }

    For more information about writing YARA rules, see the product documentation.

To upload YARA Rule File:
  1. Go to Scan Policy and Object > YARA Rules.
  2. Select Import.
  3. Configure the following settings:

    YARA Rule Name

    Enter a name for the YARA rule set.

    Default Description

    Enter a description of the YARA rule set.

    Rules Risk Level

    Select a rule risk level between 1-10.

    • 0-1: Clean
    • 2-4: Low Risk
    • 5-7: Medium Risk
    • 8-10: High Risk

    All the YARA rules inside the YARA rule file will share the same risk level.

    File Type

    Select file types to scan against uploaded YARA rules. One YARA rule file can be applied to multiple file types.

    YARA Rule File

    Choose a text file containing YARA rules.

  4. Select OK to import rules.
  5. After a YARA Rule file is imported, you can select the Activate/Deactivate icon to enable/disable the YARA rule set.

If a file hits multiple rules, a complicated algorithm is used to calculate the final rating of the file. For example, if a file hits more than one Low Risk YARA rules, the file's verdict can be higher than the Low Risk rating.

To edit a YARA Rule set:
  1. Go to Scan Policy and Object > YARA Rules.
  2. Select a YARA Rule.
  3. Click the Edit button from the toolbar.
  4. Configure the following options:

    ID

    YARA ID number. You cannot edit this field.

    Yara Rule Name

    Enter a name for the YARA rule set.

    Default Description

    Enter a description of the YARA rule set.

    Rules Risk Level

    Select a rule risk level between 1-10.

    • 0-1: Clean
    • 2-4: Low Risk
    • 5-7: Medium Risk
    • 8-10: High Risk

    All the YARA rules inside the YARA rule file will share the same risk level.

    File Type

    Select file types to scan against uploaded YARA rules. One YARA rule file can be applied to multiple file types.

    YARA Rule File

    Choose a text file containing YARA rules.

  5. Click OK to apply changes.
To delete a YARA rule set:
  1. Go to Scan Policy and Object > YARA Rules.
  2. Select a YARA Rule set.
  3. Click Delete from the toolbar.
  4. Click Yes I'm sure button from the Are you sure? confirmation box.
To change the status of a YARA rule set:
  1. Go to Scan Policy and Object > YARA Rules.
  2. Select a YARA Rule set.
  3. Click Change Status. The status of the selected YARA rule will switch to Active or Inactive depending on its previous status.
    Note

    Regular YARA rule is applied in both the Static Scan stage and VM Engine scan stage. During the VM Engine scan stage, if any dump file hits the regular YARA rule, the Indicators section will show the User-defined YARA with the YARA rule name.

To import a process memory YARA Rule:

A process memory YARA Rule differs slightly from other YARA rules. It is used by the VM Engine and is only applied in the VM Engine scan stage whereas a regular YARA rule is applied in both the Static Scan stage and VM Engine scan stage.

  1. Go to Scan Policy and Object > YARA Rules.
  2. Click the Import button.
  3. Input a YARA rule name in the Yara Rule Name field.
  4. Add a description for the YARA Rule if there is no corresponding field contained in the rule's meta section.
  5. In the Apply On: field, click Process Memory. The Rules Risk Level field will be hidden upon click because it is not required for Process Memory.

  6. Click Upload YARA File and select the YARA Rule file.
  7. Click OK.
To verify when a sample is detected by a process memory YARA rule:

If a sample is detected by a process memory YARA rule, FortiSandbox will show the following information in the FortiView job details:

  • The Indicators section shows that the sample contains a suspicious pattern with the YARA rule name.
  • The YARA rule and rating are displayed as Behaviors.

If a sample is detected by multiple process memory YARA rules,FortiSandbox shows all hits and takes the highest scoring YARA rule as the final scan score if no other suspicious behavior is detected.

Format guidelines for process memory YARA Rules:
  • A rule file must be in plain text format
  • A rule file can contain many rules
  • A rule name must be unique
  • A rule should be in the following format:

    rule Andromeda29_Memory_Pattern

    {

    meta:

    description = "Andromeda29"

    impact = 8

    condition:

    ...

    }

    description: description of the rule, it will show in the indicator if matched

    impact: the impact level of the pattern, range: 0-10, 0-1:clean,2-4: Low Risk,5-7: Medium Risk,8-10:High Risk

To activate the process memory YARA Rule
  1. Select the YARA Rule in Scan Policy and Object > Yara Rules, then click Change Status to activate the YARA rule. Clicking the Change Status button again will toggle the Status between Active and Inactive.

To export a YARA rule:
  1. From Scan Policy and Object > Yara Rules, click Export to export this YARA rule in plain text format.

YARA Rules

YARA Rules

YARA is a pattern matching engine for malware detection. It can be applied for files as well as downloaders. The YARA Rules page allows you to upload your own YARA rules.

Note

In v4.4.0, FortiSandbox upgraded Yara Engine to v4.2.3. The rules must be compatible with the 4.x.x schema and put inside ASCII text files.

For more information about writing YARA rules, see the product documentation. There are known issues for Yara Engine v4.2.3, see the issue report community.

FortiSandbox supports following Yara modules:

Cuckoo, Magic, Dotnet, PE, ELF, Hash, Math, Time, Console and String. For information about YARA modules, see the production documentation.

The following options are available:

Import

Select to import a YARA rule file. You can apply one YARA rule to multiple file types.

Edit

Select to edit a YARA rule file. You can apply one YARA rule to multiple file types.

Delete

Select to delete a YARA rule file.

Change Status

Select to change the status (Active or Inactive) of a YARA rule.

Export

Select to export a YARA rule file.

The following information is displayed:

Name

The name of the YARA rule set.

File Type

The file types the YARA rule is applied to.

Modify Time

The date and time the YARA rule set was last modified.

Size

The size of the YARA rule file.

Sha256

The Sha256 checksum of the YARA rule file.

Status

The current status (Active or Inactive) of the YARA rule set.

Format guidelines for regular YARA Rules:

  • Rule file must be in plain text format
  • Rule file can contain many rules
  • Rule name must be unique
  • Rule should be in the following format:

    rule ExampleRule Name xxx { strings: $my_text_string = "XXXXX" $my_hex_string = { XXXXXX } condition: $my_text_string or $my_hex_string }

    For more information about writing YARA rules, see the product documentation.

To upload YARA Rule File:
  1. Go to Scan Policy and Object > YARA Rules.
  2. Select Import.
  3. Configure the following settings:

    YARA Rule Name

    Enter a name for the YARA rule set.

    Default Description

    Enter a description of the YARA rule set.

    Rules Risk Level

    Select a rule risk level between 1-10.

    • 0-1: Clean
    • 2-4: Low Risk
    • 5-7: Medium Risk
    • 8-10: High Risk

    All the YARA rules inside the YARA rule file will share the same risk level.

    File Type

    Select file types to scan against uploaded YARA rules. One YARA rule file can be applied to multiple file types.

    YARA Rule File

    Choose a text file containing YARA rules.

  4. Select OK to import rules.
  5. After a YARA Rule file is imported, you can select the Activate/Deactivate icon to enable/disable the YARA rule set.

If a file hits multiple rules, a complicated algorithm is used to calculate the final rating of the file. For example, if a file hits more than one Low Risk YARA rules, the file's verdict can be higher than the Low Risk rating.

To edit a YARA Rule set:
  1. Go to Scan Policy and Object > YARA Rules.
  2. Select a YARA Rule.
  3. Click the Edit button from the toolbar.
  4. Configure the following options:

    ID

    YARA ID number. You cannot edit this field.

    Yara Rule Name

    Enter a name for the YARA rule set.

    Default Description

    Enter a description of the YARA rule set.

    Rules Risk Level

    Select a rule risk level between 1-10.

    • 0-1: Clean
    • 2-4: Low Risk
    • 5-7: Medium Risk
    • 8-10: High Risk

    All the YARA rules inside the YARA rule file will share the same risk level.

    File Type

    Select file types to scan against uploaded YARA rules. One YARA rule file can be applied to multiple file types.

    YARA Rule File

    Choose a text file containing YARA rules.

  5. Click OK to apply changes.
To delete a YARA rule set:
  1. Go to Scan Policy and Object > YARA Rules.
  2. Select a YARA Rule set.
  3. Click Delete from the toolbar.
  4. Click Yes I'm sure button from the Are you sure? confirmation box.
To change the status of a YARA rule set:
  1. Go to Scan Policy and Object > YARA Rules.
  2. Select a YARA Rule set.
  3. Click Change Status. The status of the selected YARA rule will switch to Active or Inactive depending on its previous status.
    Note

    Regular YARA rule is applied in both the Static Scan stage and VM Engine scan stage. During the VM Engine scan stage, if any dump file hits the regular YARA rule, the Indicators section will show the User-defined YARA with the YARA rule name.

To import a process memory YARA Rule:

A process memory YARA Rule differs slightly from other YARA rules. It is used by the VM Engine and is only applied in the VM Engine scan stage whereas a regular YARA rule is applied in both the Static Scan stage and VM Engine scan stage.

  1. Go to Scan Policy and Object > YARA Rules.
  2. Click the Import button.
  3. Input a YARA rule name in the Yara Rule Name field.
  4. Add a description for the YARA Rule if there is no corresponding field contained in the rule's meta section.
  5. In the Apply On: field, click Process Memory. The Rules Risk Level field will be hidden upon click because it is not required for Process Memory.

  6. Click Upload YARA File and select the YARA Rule file.
  7. Click OK.
To verify when a sample is detected by a process memory YARA rule:

If a sample is detected by a process memory YARA rule, FortiSandbox will show the following information in the FortiView job details:

  • The Indicators section shows that the sample contains a suspicious pattern with the YARA rule name.
  • The YARA rule and rating are displayed as Behaviors.

If a sample is detected by multiple process memory YARA rules,FortiSandbox shows all hits and takes the highest scoring YARA rule as the final scan score if no other suspicious behavior is detected.

Format guidelines for process memory YARA Rules:
  • A rule file must be in plain text format
  • A rule file can contain many rules
  • A rule name must be unique
  • A rule should be in the following format:

    rule Andromeda29_Memory_Pattern

    {

    meta:

    description = "Andromeda29"

    impact = 8

    condition:

    ...

    }

    description: description of the rule, it will show in the indicator if matched

    impact: the impact level of the pattern, range: 0-10, 0-1:clean,2-4: Low Risk,5-7: Medium Risk,8-10:High Risk

To activate the process memory YARA Rule
  1. Select the YARA Rule in Scan Policy and Object > Yara Rules, then click Change Status to activate the YARA rule. Clicking the Change Status button again will toggle the Status between Active and Inactive.

To export a YARA rule:
  1. From Scan Policy and Object > Yara Rules, click Export to export this YARA rule in plain text format.