Yara Rule Feed
We are currently collecting requests for a YARA rule feed service that provides you the newest, high quality YARA rules that we have integrated into our scanners.
The internal signature database contains more than 9000 quality tested YARA rules for malware (mostly RATs and APT related malware), droppers, exploit codes, web shells, malicious scripts, obfuscated code, hack tools, the output files of these hack tools, forensic artefacts, malicious scripts and other anomalies.
If you are interested in such a service, please subscribe to the “Early Access” mailing list or contact us via email@example.com
As previously announced our YARA rule packs and feeds will be available in March/April 2019. We’ve put a lot of effort into a internal system named “Mjolnir” that parses, normalizes, filters, tags and automatically modifies our rule base, which contains more than 9000 YARA rules.
This system will now fill a database of tagged YARA rules – the basis of our new YARA services.
The services will be divided into two categories:
- YARA Rule Set
- YARA Rule Feed
YARA Rule Set
The YARA rule set consist of more than 9000 YARA rules of different categories that are used in our scanners.
Some of our rules use extensions (external variables) that are only usable in our scanner products. These rules, experimental, third party and other classified rules will not be part of the purchasable rule set.
YARA Rule Feed
The YARA rule feed is a subscription on our rules. The feed always contains the rules of the last 90 days, which is between 250-400 YARA rules.
The quality of the rules in the rule set are comparable to the rules in our public “signature-base” repository.
Some good examples for the different rule categories are:
- Webshells – FOPO Obfuscated Webshells
- Exploits – Exploit Codes for CVE-2017-8759
- Hacktools – BlackBone Driver Injector
- Threat Hunting – Suspicious Big Scheduled Task Files
- APT – Turla Rules
Quality and Focus
The rules are tested against a data set of more than 350 TB of goodware. The goodware file repository consists of Windows OS files, several full Linux distributions and a big collection of commercial and free software.
However, false positives are always possible. We do not recommend any destructive action on a signature match, like delete or blocking.
The main focus of our rules are:
- Threat Hunting
- Anomaly Detection
- Compromise Assessment
The API features different output formats (text, json, html), filters for tags, score and time frames
Rich Meta Data
The rules provide rich meta data, a standardized scheme based on best practices and tags for simpler filtering
We provide useful statistics and reports on rules in the feed, like AV engine coverage and matched sample hashes
Quality Tested Rules
All rules are tested against more than 80TB of operating system files and other software
All rules are used in our scanners and therefore optimized for performance. The planned version 1.1 of the API will allow you to pull less strict rule sets that are more effective for in-memory detection and the detection in data streams.
We provide an API client written in Python that allows you to query the API in different ways