Skip to content

Create custom content rules

Geoff Baskwill edited this page Jun 3, 2019 · 1 revision

You can write your own content rules for Deep Security Smart Check to detect content that should not be in your images.

You write content rules in the YARA language and have access to the default set of YARA modules.

Manage ruleset collections

Deep Security Smart Check ships with a built-in collection of rules that detect some common items that should never be included in images. Individual rules are bundled into rulesets, and rulesets are grouped in collections.

You can add your own rulesets to the built-in collection or you can create your own collection if you don't want to use the built-in rules.

There can be only one active ruleset collection at any time. If you set a collection to be active, then the currently-active collection will be deactivated.

Within a ruleset collection, you can disable and re-enable individual rulesets.

You can use the API or the UI to manage collections and rulesets.

Use the API to manage ruleset collections

Read the API reference documentation to learn how to manage ruleset collections.

Use the UI to manage ruleset collections

Use the Content Rules section of the Deep Security Smart Check user interface to manage ruleset collections.

Set rule severity and description

When Deep Security Smart Check finds content that matches your rule, it will report a finding. You can control the severity and description of the finding using the rule metadata.

For example, this rule searches for a specific file based on its SHA-256 hash. If Deep Security Smart Check finds the file, it will report a critical finding with the description Found nyan cat.

import "hash"

rule NyanCat
{
    meta:
        severity = "critical"
        description = "Found nyan cat"

    condition:
        hash.sha256(0, filesize) == "7a05d5984a34ac3372959ef1c4f465681a6dd4f80f4d4a8fbd2be56b81e2f2e0"
}

Deep Security Smart Check supports the following severity values:

  • defcon1
  • critical
  • high
  • medium
  • low
  • negligible
  • unknown

If you do not provide a severity value or the value you provide is not recognized, Deep Security Smart Check will use unknown.

Reference

See the YARA documentation for more details on writing rules.

Limitations

Deep Security Smart Check does not currently include support for the cuckoo and magic modules.

You can’t perform that action at this time.