RSA NetWitness Endpoint YARA Rules

Document created by Elena Komarova Employee on Jan 9, 2017Last modified by Connor Mccarthy on Aug 8, 2018
Version 9Show Document
  • View in full screen mode

Access Training

 

 

In order to register for a class, you need to first create an EMC account

If you need further assistance, contact us

 

Summary

The RSA NetWitness Endpoint YARA Rules on-demand learning provides an introduction to writing rules for RSA NetWitness Endpoint using YARA best practices.

 

Overview

This on-demand learning provides an introduction to writing rules for RSA NetWitness Endpoint using YARA. Students will gain familiarity with the YARA tool's syntax and functionality to write rules that optimize flexibility and minimize false positives.

 

Audience

All

 

Delivery Type

On-Demand Learning

 

Duration

1 hour

 

Prerequisite Knowledge / Skills

Students should have familiarity with:

  • Skills provided in the RSA NetWitness Endpoint Foundations course
  • Programming fundamentals
  • Knowledge of C Programming and Perl regular expressions desirable

 

Learning Objectives

Upon successful completion of this course, participants should be able to:

  • Describe what YARA is and how it is used in RSA NetWitness Endpoint
  • List the types of Indicators of Compromise used by RSA NetWitness Endpoint 
  • List and describe common strains of malware
  • Use the various components that make up a YARA rule
  • Extract strings from malware samples for a basis of writing YARA rules
  • Write YARA rules that maximize the efficiency of the YARA engine, while reducing false positives
  • Research YARA rules from popular web sites
  • Integrate YARA rules with RSA NetWitness Endpoint
  •  Automate YARA rule creation

 

Course Outline

  • Overview
    • Describe what YARA is and how YARA is used in RSA NetWitness Endpoint
    • Define the types of IIOCs
    • Define the most common strains of malware

 

  • YARA Rules
    • Write YARA rules using:
      • Meta
      • Strings
      • Conditions
      •  Extract strings from malware sample
      • Run YARA on the command line

 

  • Optimizing your Rule
    • Tips for writing YARA rules
    • Using Regular Expressions
    • file size variable
    • include directives
    • Minimizing false positives
    • Performance considerations
    • Global and Private rules

 

  • Integrating YARA in RSA NetWitness Endpoint
    • Configure RSA NetWitness Endpoint to use your YARA rules

 

  • Additional Resources
    • Automate YARA rules generationList resources for
    • YARA software and documentation

 

 

 

 

 

Access Training

 

 

In order to register for a class, you need to first create an EMC account

If you need further assistance, contact us

Attachments

    Outcomes