Topics on this page
Add custom content rules
Deep Security Smart Check ships with a built-in collection of rules that detect some common items that should never be included in images. You can also write your own content rules, using the YARA language.
Individual rules are bundled into rulesets, and rulesets are grouped in collections. Deep Security Smart Check can have only one active collection at a time, so you can either add new rulesets to the default Deep Security Smart Check Collection, or create a new collection to use instead. Within a collection, you can enable or disable individual rulesets.
You can use the UI or the API to manage collections and rulesets. The UI method is described below. For information on using the API, read the API reference documentation.
Use the UI to manage ruleset collections
Create a new ruleset collection
If you don't want to use the built-in Deep Security Smart Check Collection, you can make your own collection.
- On the left side of the Smart Check administrator console, click
Content Rules. - On the Content Rules page, click + CREATE.
- In the pop-up that appears, enter a name for the new collection and click ADD. A new, empty ruleset collection appears on the Content Rules page.
- Add some rulesets to the collection, and enable those rulesets.
- When you're ready to being using the new collection, click
to activate the collection. This also deactivates any other collections.
Change the name of a ruleset collection
- On the Content Rules page, click
for the ruleset collection that you want to rename. - In the pop-up that appears, edit the name and click UPDATE.
Add rulesets to a collection
- On Content Rules page, click
in the ruleset collection where you want to add the ruleset. - In the pop-up that appears:
- Enter a name for the ruleset.
- The ruleset is enabled by default, or you can slide the toggle to disable it.
- Add the rule files by dragging and dropping them or clicking in the area provided. Files can be a maximum of 8 KB.
- Click ADD.
Rule examples
Check file permissions
You can create custom rules that check file permissions by examining the value of the filemode external variable.
rule suid
{
meta:
severity = "medium"
description = "Found a file with the setuid bit set. If your environment drops the CAP_SETUID capability then this is not an issue."
condition:
(filemode & 2048) > 0 // 04000 = suid
}
rule sgid
{
meta:
severity = "medium"
description = "Found a file with the setgid bit set. If your environment drops the CAP_SETGID capability then this is not an issue."
condition:
(filemode & 1024) > 0 // 02000 = sgid
}Set rule severity and description
When Deep Security Smart Check finds content that matches your rule, it reports a finding. You can control the severity and description of the finding using the rule metadata.
For example, this rule searches for a specific file based on its SHA-256 hash. If Deep Security Smart Check finds the file, it reports a critical finding with the description Found nyan cat.
import "hash"
rule NyanCat
{
meta:
severity = "critical"
description = "Found nyan cat"
condition:
hash.sha256(0, filesize) == "7a05d5984a34ac3372959ef1c4f465681a6dd4f80f4d4a8fbd2be56b81e2f2e0"
}Deep Security Smart Check supports the following severity values:
defcon1criticalhighmediumlownegligibleunknown
If you do not provide a severity value or if the value you provide is not recognized, Deep Security Smart Check will use unknown.
Reference
See the YARA documentation for more details on writing rules.
Limitations
Deep Security Smart Check does not currently include support for the cuckoo and magic modules.