Using YARA Rules with RiskVision

Technical Library | Support

Go to the table of contents

Go to the previous page

Go to the next page

View or print as PDF

Using YARA Rules with RiskVision

Using YARA Rules with RiskVision

YARA Rules | TRITON RiskVision | 02-Jun-2016

YARA is a tool often used by malware researchers for identifying and classifying content based on textural or binary patterns. It supports a comprehensive set of rules using wild-cards, case-insensitive strings, regular expressions, special operators and many other complex and powerful features.

The analytic tools used by RiskVision include a database of YARA rules used during Local Analysis (before files are sent for sandboxing or other external analysis). If your organization uses YARA, you can configure RiskVision to use your YARA rules in combination with its own (see Adding YARA rules to RiskVision).

RiskVision applies YARA rules to both inbound and outbound HTTP and SMTP traffic to:

1.

Identify malicious content based on signatures.

2.

Identify protocol applications.

3.

Identify certain patterns in the headers of the request and responses.

Matching rules can be used to assign labels to transactions to specify how those transactions are processed by other RiskVision plugins (see Rules and labels).

Go to the table of contents

Go to the previous page

Go to the next page

View or print as PDF

Using YARA Rules with RiskVision

Copyright 2016 Forcepoint LLC. All rights reserved.