WEBVTT 1 00:00:00.090 --> 00:00:04.260 In this lesson, we will learn about rule-based languages. 2 00:00:04.260 --> 00:00:06.330 Rule-based languages are used 3 00:00:06.330 --> 00:00:08.880 to create patterns and detection rules 4 00:00:08.880 --> 00:00:11.850 to identify specific malicious activities 5 00:00:11.850 --> 00:00:15.120 or behaviors within systems and networks. 6 00:00:15.120 --> 00:00:18.570 Rule-based language examples include Sigma, 7 00:00:18.570 --> 00:00:22.800 Yet Another Recursive Algorithm or YARA, and Rita. 8 00:00:22.800 --> 00:00:25.770 Sigma is a generic rule-based language 9 00:00:25.770 --> 00:00:28.290 for defining security event patterns 10 00:00:28.290 --> 00:00:30.300 across multiple platforms. 11 00:00:30.300 --> 00:00:33.392 YARA is designed to help researchers identify 12 00:00:33.392 --> 00:00:35.310 and classify malware 13 00:00:35.310 --> 00:00:38.250 by defining specific patterns and files. 14 00:00:38.250 --> 00:00:40.800 Rita is an open-source framework 15 00:00:40.800 --> 00:00:43.650 used for detecting network anomalies, 16 00:00:43.650 --> 00:00:47.430 and Snort is an open-source network intrusion detection 17 00:00:47.430 --> 00:00:50.940 and prevention system that analyzes network traffic 18 00:00:50.940 --> 00:00:54.990 in real time to detect and block malicious activity 19 00:00:54.990 --> 00:00:59.220 using a set of predefined rules and signatures. 20 00:00:59.220 --> 00:01:01.020 Let's learn more about Sigma, 21 00:01:01.020 --> 00:01:05.760 Yet Another Recursive Algorithm, or YARA, Rita, and Snort. 22 00:01:05.760 --> 00:01:07.560 First we have Sigma. 23 00:01:07.560 --> 00:01:11.040 Sigma is a generic rule-based language designed 24 00:01:11.040 --> 00:01:13.620 for defining security event patterns 25 00:01:13.620 --> 00:01:17.730 across multiple platforms like security information 26 00:01:17.730 --> 00:01:20.490 and event management systems or SIEMs. 27 00:01:20.490 --> 00:01:23.910 The flexibility of Sigma allows security teams 28 00:01:23.910 --> 00:01:27.720 to write rules that can be used in different platforms 29 00:01:27.720 --> 00:01:31.560 without needing to rewrite them for each specific tool. 30 00:01:31.560 --> 00:01:34.680 In an enterprise, Sigma helps create alerts 31 00:01:34.680 --> 00:01:37.170 based on defined malicious behavior, 32 00:01:37.170 --> 00:01:40.050 making it a valuable tool for threat hunting 33 00:01:40.050 --> 00:01:41.730 and incident response. 34 00:01:41.730 --> 00:01:44.761 Sigma rules are written in a YAML format, 35 00:01:44.761 --> 00:01:47.790 making them easy to read and share. 36 00:01:47.790 --> 00:01:49.980 For example, a Sigma rule 37 00:01:49.980 --> 00:01:52.950 could detect a suspicious process creation 38 00:01:52.950 --> 00:01:56.160 across any SIEM that supports Sigma, 39 00:01:56.160 --> 00:01:58.200 or Sigma could be used to look 40 00:01:58.200 --> 00:02:00.330 for specific malicious behavior 41 00:02:00.330 --> 00:02:02.640 such as the "Whoami" command. 42 00:02:02.640 --> 00:02:05.700 The "Whoami" command is often used by attackers 43 00:02:05.700 --> 00:02:09.150 during the reconnaissance phase to check the privileges 44 00:02:09.150 --> 00:02:13.350 of the compromised user and determine their next steps, 45 00:02:13.350 --> 00:02:15.600 such as escalating privileges. 46 00:02:15.600 --> 00:02:18.630 Its execution in unusual context 47 00:02:18.630 --> 00:02:21.480 can indicate an attacker probing the system 48 00:02:21.480 --> 00:02:23.700 to tailor their attack strategy, 49 00:02:23.700 --> 00:02:27.780 making it a useful indicator for early threat detection. 50 00:02:27.780 --> 00:02:31.524 Coming up on the screen is an example of a Sigma rule 51 00:02:31.524 --> 00:02:34.254 to detect a command line execution 52 00:02:34.254 --> 00:02:36.810 of the command "Whoami." 53 00:02:36.810 --> 00:02:39.180 As written, this rule will trigger 54 00:02:39.180 --> 00:02:43.470 when the command line event contains the text "Whoami." 55 00:02:43.470 --> 00:02:47.520 The rule would be implemented by deploying it within a SIEM 56 00:02:47.520 --> 00:02:50.490 that supports Sigma, allowing the system 57 00:02:50.490 --> 00:02:53.940 to continuously monitor process creation logs 58 00:02:53.940 --> 00:02:57.090 for instances of the "Whoami" command. 59 00:02:57.090 --> 00:03:00.240 Once detected, the SIEM would trigger an alert 60 00:03:00.240 --> 00:03:03.180 enabling security teams to investigate 61 00:03:03.180 --> 00:03:06.510 potential reconnaissance activity by an attacker. 62 00:03:06.510 --> 00:03:10.980 Second, we have Yet Another Recursive Acronym or YARA. 63 00:03:10.980 --> 00:03:15.360 YARA is a rule-based language designed to help identify 64 00:03:15.360 --> 00:03:20.360 and classify malware by defining specific patterns in files. 65 00:03:20.400 --> 00:03:23.556 It is particularly useful for malware researchers 66 00:03:23.556 --> 00:03:26.610 who need to scan files or processes 67 00:03:26.610 --> 00:03:28.770 to detect malicious software. 68 00:03:28.770 --> 00:03:30.540 In an enterprise setting, 69 00:03:30.540 --> 00:03:33.390 YARA is commonly used in threat hunting, 70 00:03:33.390 --> 00:03:36.210 or during incident response to scan 71 00:03:36.210 --> 00:03:39.030 for malicious malware across endpoints 72 00:03:39.030 --> 00:03:42.120 or in files stored on servers. 73 00:03:42.120 --> 00:03:44.880 It helps security teams write rules 74 00:03:44.880 --> 00:03:49.200 to match malware families based on strings, file sizes, 75 00:03:49.200 --> 00:03:52.260 or byte sequences, allowing enterprises 76 00:03:52.260 --> 00:03:54.720 to automate malware detection. 77 00:03:54.720 --> 00:03:57.339 Coming up on the screen is a YARA rule 78 00:03:57.339 --> 00:04:00.992 used to detect suspicious strings in files. 79 00:04:00.992 --> 00:04:05.139 This YARA rule checks for multiple suspicious strings 80 00:04:05.139 --> 00:04:09.390 such as, "Whoami," "hostname," and "netstat," 81 00:04:09.390 --> 00:04:12.870 often used in the initial stages of an attack 82 00:04:12.870 --> 00:04:15.000 to gather system information. 83 00:04:15.000 --> 00:04:17.760 This rule would be implemented by deploying it 84 00:04:17.760 --> 00:04:20.310 within an endpoint detection system 85 00:04:20.310 --> 00:04:23.981 or by running it manually across file repositories 86 00:04:23.981 --> 00:04:26.400 on servers or workstations. 87 00:04:26.400 --> 00:04:30.390 If any of the suspicious strings were found in a file, 88 00:04:30.390 --> 00:04:31.920 the rule would be triggered, 89 00:04:31.920 --> 00:04:35.070 indicating that the file may contain reconnaissance 90 00:04:35.070 --> 00:04:39.360 or system-probing commands typically used by attackers. 91 00:04:39.360 --> 00:04:41.280 Third, we have Rita. 92 00:04:41.280 --> 00:04:44.010 Rita is an open-source framework designed 93 00:04:44.010 --> 00:04:48.000 to detect network anomalies and is particularly helpful 94 00:04:48.000 --> 00:04:51.600 for identifying unusual behavior like beaconing, 95 00:04:51.600 --> 00:04:54.648 which is often associated with malware communication 96 00:04:54.648 --> 00:04:57.450 to a command and control server. 97 00:04:57.450 --> 00:05:01.590 Rita helps enterprises detect anomalous traffic patterns 98 00:05:01.590 --> 00:05:05.165 within their networks by analyzing network flow data 99 00:05:05.165 --> 00:05:09.210 and identifying deviations from normal behavior. 100 00:05:09.210 --> 00:05:11.970 It can also help identify hidden threats 101 00:05:11.970 --> 00:05:15.617 that may go unnoticed by traditional security tools 102 00:05:15.617 --> 00:05:18.862 by focusing on unusual communications, 103 00:05:18.862 --> 00:05:23.862 allowing teams to take action before serious damage occurs. 104 00:05:24.270 --> 00:05:28.290 To do this, Rita integrates with network monitoring tools 105 00:05:28.290 --> 00:05:31.050 like Zeek, formerly called Bro, 106 00:05:31.050 --> 00:05:33.720 which captures detailed network activity 107 00:05:33.720 --> 00:05:35.850 and logs it for analysis. 108 00:05:35.850 --> 00:05:38.580 Rita then processes these logs 109 00:05:38.580 --> 00:05:41.100 to identify suspicious patterns 110 00:05:41.100 --> 00:05:43.410 such as long-running connections 111 00:05:43.410 --> 00:05:46.350 where attackers maintain persistent connections 112 00:05:46.350 --> 00:05:49.834 to compromise systems, or DNS tunneling 113 00:05:49.834 --> 00:05:54.360 where attackers exfiltrate data using DNS queries. 114 00:05:54.360 --> 00:05:57.479 Rita can also detect beaconing behavior 115 00:05:57.479 --> 00:06:00.240 where malware communicates with a command 116 00:06:00.240 --> 00:06:03.360 and control server at regular intervals. 117 00:06:03.360 --> 00:06:07.320 So by analyzing network traffic over time, 118 00:06:07.320 --> 00:06:11.220 Rita helps enterprises uncover stealthy attacks 119 00:06:11.220 --> 00:06:13.320 like advanced persistent threats 120 00:06:13.320 --> 00:06:16.110 or malware that operates covertly, 121 00:06:16.110 --> 00:06:18.913 making it a great tool for detecting threats 122 00:06:18.913 --> 00:06:22.200 that evade traditional security measures. 123 00:06:22.200 --> 00:06:26.430 Enterprises can even automate the detections with Rita, 124 00:06:26.430 --> 00:06:30.150 integrating it into their incident response workflows 125 00:06:30.150 --> 00:06:32.310 to quickly act on threats. 126 00:06:32.310 --> 00:06:35.700 Fourth and last we have Snort. 127 00:06:35.700 --> 00:06:39.690 Snort is an open-source intrusion detection system 128 00:06:39.690 --> 00:06:41.840 and intrusion prevention system 129 00:06:41.840 --> 00:06:44.940 that uses rule-based detection 130 00:06:44.940 --> 00:06:48.660 to analyze network traffic in real time. 131 00:06:48.660 --> 00:06:52.411 Snort allows enter enterprises to monitor and respond 132 00:06:52.411 --> 00:06:54.738 to suspicious network activity 133 00:06:54.738 --> 00:06:59.580 by applying a set of predefined or custom rules. 134 00:06:59.580 --> 00:07:03.071 These rules define patterns of malicious traffic, 135 00:07:03.071 --> 00:07:07.050 such as port scans, malware payloads, 136 00:07:07.050 --> 00:07:10.230 or attempts to exploit vulnerabilities. 137 00:07:10.230 --> 00:07:15.230 In an enterprise, Snort is often used as a frontline defense 138 00:07:15.420 --> 00:07:18.857 monitoring incoming and outgoing network traffic 139 00:07:18.857 --> 00:07:21.600 for any signs of attacks, 140 00:07:21.600 --> 00:07:24.326 and blocking or alerting administrators 141 00:07:24.326 --> 00:07:26.700 when a threat is detected. 142 00:07:26.700 --> 00:07:31.530 Snort can work alongside Sigma, YARA, and Rita. 143 00:07:31.530 --> 00:07:34.170 For example, you could write a Snort rule 144 00:07:34.170 --> 00:07:37.170 that monitors network traffic for attempts 145 00:07:37.170 --> 00:07:40.410 to exploit the Shellshock vulnerability, 146 00:07:40.410 --> 00:07:44.430 which is commonly used in remote code execution attack. 147 00:07:44.430 --> 00:07:47.280 The rule that you would write might look something 148 00:07:47.280 --> 00:07:49.440 like what appears on the screen. 149 00:07:49.440 --> 00:07:53.880 This Snort rule monitors incoming TCP traffic 150 00:07:53.880 --> 00:07:56.070 from any external network 151 00:07:56.070 --> 00:08:00.810 to the internal network on Port eight zero hosting HTTP. 152 00:08:01.770 --> 00:08:03.540 This rule triggers an alert 153 00:08:03.540 --> 00:08:05.705 if it detects the specific string, 154 00:08:05.705 --> 00:08:09.696 open and closed parentheses, open curly bracket, 155 00:08:09.696 --> 00:08:13.350 colon, semicolon, and closed curly bracket 156 00:08:13.350 --> 00:08:17.040 in the HTTP headers, which is a signature 157 00:08:17.040 --> 00:08:21.180 of the Shellshock vulnerability exploitation attempt. 158 00:08:21.180 --> 00:08:23.730 This rule is designed to detect and alert 159 00:08:23.730 --> 00:08:26.610 on potential remote code execution attacks 160 00:08:26.610 --> 00:08:28.590 targeting vulnerable systems. 161 00:08:28.590 --> 00:08:30.120 Snort integrates well 162 00:08:30.120 --> 00:08:33.120 into enterprise security infrastructures 163 00:08:33.120 --> 00:08:36.930 providing network layer detection and prevention. 164 00:08:36.930 --> 00:08:41.337 Snort can monitor real-time traffic for exploit attempts 165 00:08:41.337 --> 00:08:44.866 while Sigma and YARA might detect malicious behavior 166 00:08:44.866 --> 00:08:48.840 or indicators of compromise at the system level. 167 00:08:48.840 --> 00:08:52.680 So remember, rule-based languages are used 168 00:08:52.680 --> 00:08:54.900 to define detection patterns 169 00:08:54.900 --> 00:08:57.360 for identifying malicious activities 170 00:08:57.360 --> 00:08:59.580 within systems and networks. 171 00:08:59.580 --> 00:09:02.689 Sigma helps define security event patterns 172 00:09:02.689 --> 00:09:06.192 across multiple platforms, allowing enterprises 173 00:09:06.192 --> 00:09:09.570 to create alerts for suspicious behavior. 174 00:09:09.570 --> 00:09:13.380 YARA is used to identify and classify malware 175 00:09:13.380 --> 00:09:17.850 by creating rules based on specific patterns found in files, 176 00:09:17.850 --> 00:09:21.360 making it particularly useful for malware detection. 177 00:09:21.360 --> 00:09:24.360 Next, Rita detects network anomalies, 178 00:09:24.360 --> 00:09:28.429 helping enterprises identify unusual traffic patterns 179 00:09:28.429 --> 00:09:31.440 that might indicate hidden attacks. 180 00:09:31.440 --> 00:09:35.640 Finally, Snort is an open-source intrusion detection 181 00:09:35.640 --> 00:09:39.360 and prevention system that analyzes network traffic 182 00:09:39.360 --> 00:09:42.700 in real-time, applying predefined rules 183 00:09:42.700 --> 00:09:46.923 to block or alert on suspicious activity.