Managing suspicious content
As an administrator, you can flag suspicious content by using the Suspect Content Management feature.
Yara rules
To flag suspicious content in the files that are found in QRadar Incident Forensics network traffic, you can import and use existing Yara rules to specify the custom rules that are run on the files.
Each Yara rule starts with the keyword rule followed by a rule identifier. Yara rules are
composed of two sections:
- String definition
- In the strings definition section, specify the strings to form part of the rule. Each string uses an identifier that consists of a dollar sign ($) followed by a sequence of alphanumeric characters that are separated by underscores.
- Condition
- In the condition section, define the logic of the rule. The condition section must contain a Boolean expression that defines the conditions in which a file satisfies the rule.
The following example shows a simple Yara rule that looks for str1 at an offset of 25 bytes
into the file:
rule simple_forensics : qradar
{
meta:
description = "Simple Yara rule."
strings:
$str1 = "pattern of interest"
condition:
$str1 at 25
}
rule ibm_forensics : qradar
{
meta:
description = "Complex Yara rule."
strings:
$hex1 = {4D 2B 68 00 ?? 14 99 F9 B? 00 30 C1 8D}
$str1 = "IBM Security!"
condition:
$hex1 and (#str1 > 3)
}
When the Yara rule is uploaded, the decapper uses rules that are specified when it finds a file in a recovery or a PCAP upload. If there is matching content that is found, a SuspectContent field is added under the Attributes tab for a document. The Suspect Content Description property is populated with the Yara rule name and any tags that are identified by the rule.
Restriction: Implementation of Yara modules is not currently
available.