Creating a YARA ruleset

You can create a custom YARA ruleset to detect possible malware in the PE32 files of your front-end hosts.

To create a custom YARA ruleset, complete the following steps:
  1. Go to Settings > Advanced > Custom YARA Rulesets page, select Create New Ruleset. The YARA Ruleset Creator page opens.
  2. In the YARA Ruleset Creator page, add the following information:
    • Enable Ruleset: Select to enable or disable the ruleset after you have created a rule. When disabled, the rule is not used during indexing.
    • Select Ruleset: When you click the option, it opens a ruleset definition file, which can contain one or more rules. The supported file types are .yar and .yara. The YARA ruleset file is displayed in the editor pane for further editing if needed.
    • Ruleset Name: Name of the ruleset. Name length must be between 3 and 128 characters inclusively. Special characters and numbers can be used in the ruleset name. For more information about rule name restrictions, see official YARA documentation.
    • Alert Severity: select an alert severity from the dropdown list. The available options are:
      • Critical
      • High
      • Medium
      • Low
    Alternatively, you can add the YARA ruleset text in the editor pane.
  3. After adding a YARA ruleset, click Verify to verify the correctness of the rule you have created. If you receive errors, fix errors and verify the ruleset again. When you are developing the ruleset in the editor, you must verify your rule to avoid errors.
  4. When the ruleset has been verified, click Submit Ruleset. If you selected a YARA ruleset from a file, the file gets uploaded.

When you create at least one ruleset, IBM® Storage Defender Sentinel anomaly scan software indexes all PE32 files during the next indexing operation. IBM Storage Defender Sentinel anomaly scan software checks the PE32 files against the newly added YARA ruleset.