Technical Library
|
Support
Using YARA Rules with RiskVision
Using YARA Rules with RiskVision
YARA Rules | TRITON RiskVision | 02-Jun-2016
YARA is a tool often used by malware researchers for identifying and classifying content based on textural or binary patterns. It supports a comprehensive set of rules using wild-cards, case-insensitive strings, regular expressions, special operators and many other complex and powerful features.
The analytic tools used by RiskVision include a database of YARA rules used during Local Analysis (before files are sent for sandboxing or other external analysis). If your organization uses YARA, you can configure RiskVision to use your YARA rules in combination with its own (see
Adding YARA rules to RiskVision
).
RiskVision applies YARA rules to both inbound and outbound HTTP and SMTP traffic to:
1.
Identify malicious content based on signatures.
2.
Identify protocol applications.
3.
Identify certain patterns in the headers of the request and responses.
Matching rules can be used to assign labels to transactions to specify how those transactions are processed by other RiskVision plugins (see
Rules and labels
).
Using YARA Rules with RiskVision
Copyright 2016 Forcepoint LLC. All rights reserved.