A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Subscribestar or Patreon

Search Irongeek.com:

Affiliates:
Irongeek Button
Social-engineer-training Button

Help Irongeek.com pay for bandwidth and research equipment:

paypalpixle


Yara Rule QA: Can't I Write Code to do This for Me? - Andrew Plunkett Derbycon 2016 (Hacking Illustrated Series InfoSec Tutorial Videos)

Yara Rule QA: Can't I Write Code to do This for Me?
Andrew Plunkett
Derbycon 2016

Yara is a powerful scanning tool that uses signatures to detect threats. It has quickly become a staple of many IT security programs. They can be used to find new samples with VirusTotal hunting, to scan endpoints, to detect malware families during sandbox or manual analysis, and for whatever other use you can come up with. New malware intelligence usually has a yara rule for detection of the malicious code, and there are many public groups that share yara rules so you need not create your own for each new threat. Accepting public rules into your own tools and environment creates some issues, though. Will the rule run with your tool (version issues)? Is the rule written efficiently (performance issues)? Will the rule compile or have a high True Positive/False Positive ratio (quality issues)? Do different collections of rules have overlapping signatures (duplication issues)? This talk will discuss problems with accepting publicly available yara rules into your own tools and environment, and share code with mitigating these issues.

I used to work as Security Engineer on an external security assessment team for CBTS, and currently work for General Electric - Power as a Lead Security Analyst out of Cincinnati.

Back to Derbycon 2016 video list

15 most recent posts on Irongeek.com:


If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2020, IronGeek
Louisville / Kentuckiana Information Security Enthusiast