Creating Strings and Conditions in the YARA Rule Basic Editor
In your PhishER platform, you can use the Basic Editor to create strings and conditions for your rules. The strings and conditions that you create in the Basic Editor will determine which emails are detected by your rules. You will first create strings and then use those strings to create your conditions.
See the sections below to learn how to create strings and conditions in the Basic Editor. For more information about creating rules and YARA rules, see our How Do I Create a Rule and Action in PhishER? article and How to Write YARA Rules articles.
Jump to:
Creating Strings in the Basic Editor
Creating Conditions in the Basic Editor
Creating Strings in the Basic Editor
You can create a string by declaring a variable and then setting a value for that variable. In the Basic Editor, you only need to enter a value for the preset variables to create a string. When creating strings in the Basic Editor, be aware of the following requirements:
- Every string must have a value.
- You can only use ASCII characters when entering a value for a string.
- The strings are not case sensitive.
To create strings in the Basic Editor, follow the steps below:
- Log in to your PhishER platform.
- Navigate to PhishER > Rules.
- Click the New Rule button in the top-right corner of the page or select a rule from your Rules List. When you click the New Rule button, the Rule Details screen will open.
- Complete the top section of the Rule Details page. See our How Do I Create a Rule and Action in PhishER? article for more information.
- In the Create Strings section, enter a value for the string.
- (Optional) If you would like, click the globe icon to use a global variable. Once you click this icon, you can enter a value for the string. For more information about creating global variables, see the Global Variables section of our PhishER Product Manual.
- Click New String to add another string, if needed.
- If you added another string, enter a value for the new string.
- Repeat steps 4-7 until you have created all the strings that you need. You can create up to five strings per rule.
Creating Conditions in the Basic Editor
Once you have created at least one string, you can create conditions for your rule. Conditions express what information you want your rule to detect in emails forwarded to your PhishER inbox. When you create conditions for your rule, you can select from the three options below:
- Match any of the defined strings: Select this option to detect emails that match any of your defined strings.
- Match all of the defined strings: Select this option to detect emails that match all of your defined strings.
- Custom conditions: Select this option to detect emails that match your custom conditions. See the Creating Conditions in the Basic Editor subsection below for more information.
Creating Custom Conditions in the Basic Editor
You can create up to five custom conditions per rule. To create custom conditions, you will write expressions using your strings and logical operators. You must use all of your strings when creating custom conditions.
To create a custom condition, follow the steps below:
- Make sure that you have completed the top section of the Rule Details page and created the strings needed for your custom conditions.
- In the Create Conditions section of the page, select Custom conditions.
- From the Choose string drop-down menu, select one of the strings you created.
- To add another string to the condition, select Add.
- From the drop-down menu that opens, select one of the following options:
- Select and if the rule should detect emails that match both strings.
- Select or if the rule should detect emails that match either strings or both strings.
- Select and not if the rule should detect emails that match the existing string but do not match the string being added.
- After you have chosen an option from the Add drop-down menu, the Choose string drop-down menu will display. From this drop-down menu, select a string.
- Repeat steps 2 through 4 until you have added all the strings that you need for the condition.
After you have created your first condition, you can create up to four additional conditions for your rule. To create a new condition group, follow these steps:
- To add another condition group, click New Condition Group and then select one of the following options:
- Select and if the rule should detect emails that match both conditions.
- Select or if the rule should detect emails that match either or both conditions.
- Select and not if the rule should detect emails that match the existing condition but do not match the condition you are adding.
- Select the appropriate strings and how they should relate to each other for the newly added condition group.
- Repeat steps 1 and 2 until you have added all the conditions that you need for the rule.
Example Custom Conditions
See the screenshot below for an example of custom conditions. In this example, three strings were created: “.pdf”, “.htm”, and “.exe”. The three strings were then used to create two custom conditions that must be met for an email to be detected by the rule. An email would need to either include both “.pdf” and “.htm” or include “.exe” to be detected by this rule.
Comments
0 comments
Article is closed for comments.