Skip to content

MALWARE_DETECTION.md

Latest commit

 

History

History
202 lines (168 loc) · 8.06 KB

MALWARE_DETECTION.md

File metadata and controls

202 lines (168 loc) · 8.06 KB

Malware Detection

Castellan's YARA integration provides production-ready signature-based malware detection capabilities with enterprise-grade rule management, powered by native dnYara integration and a complete Tailwind Dashboard interface.

Features

Complete Rule Management

  • Full CRUD Operations - Create, read, update, delete malware detection rules via REST API and React UI
  • Advanced Rule Configuration - Editable rule source URLs with dynamic add/remove functionality
  • Auto-Update Management - Configurable frequency and automatic rule import scheduling
  • Real Import Processing - Actual rule import execution with accurate result reporting
  • Tailwind Dashboard Interface - Complete web UI for rule management with advanced filtering
  • Real-time Validation - Native dnYara compilation and syntax validation
  • Categorization - Organize rules by type (Malware, Ransomware, Trojan, Backdoor, etc.)
  • MITRE ATT&CK Mapping - Associate rules with MITRE techniques for threat intelligence
  • Performance Metrics - Track rule execution time, hit count, and false positives
  • Match History - Complete audit trail of all detections with detailed analysis

Native dnYara Integration

  • Real Malware Scanning - Native YARA library integration with dnYara 2.1.0
  • Thread-Safe Operations - Concurrent rule compilation and scanning
  • Performance Optimized - Persistent YaraContext with efficient rule compilation
  • Memory Management - Proper resource disposal and cleanup
  • Error Handling - Comprehensive exception handling and logging

Enterprise Security & Storage

  • Thread-Safe Storage - Concurrent access with file-based JSON persistence
  • JWT Authentication - Secure API access with token-based authentication
  • Real-time Validation - Native malware detection rule compilation and syntax checking
  • False Positive Tracking - Record and manage false positive incidents
  • Audit Trail - Complete logging of all rule operations and detections

API Endpoints

Rule Management

GET    /api/malware-rules                    # List all rules (with pagination)
POST   /api/malware-rules                    # Create new rule
GET    /api/malware-rules/{id}               # Get specific rule
PUT    /api/malware-rules/{id}               # Update rule
DELETE /api/malware-rules/{id}               # Delete rule

Query & Filter

GET    /api/malware-rules?category=Malware           # Filter by category
GET    /api/malware-rules?tag=ransomware             # Filter by tag
GET    /api/malware-rules?mitreTechnique=T1059.001   # Filter by MITRE technique
GET    /api/malware-rules?enabled=true               # Filter enabled rules only
GET    /api/malware-rules?page=2&limit=20            # Pagination support

Utility Endpoints

GET    /api/malware-rules/categories         # List available categories
POST   /api/malware-rules/test               # Test rule against content
POST   /api/malware-rules/{id}/false-positive # Report false positive
GET    /api/malware-rules/{id}/matches       # Get rule match history

Configuration

malware detection rules are stored in JSON format at:

<worker-directory>/data/yara/rules.json
<worker-directory>/data/yara/matches.json

Rule Categories

  • Malware - General malware detection
  • Ransomware - Ransomware-specific rules
  • Trojan - Trojan horse malware
  • Backdoor - Backdoor and remote access tools
  • Webshell - Web shell detection
  • Cryptominer - Cryptocurrency mining malware
  • Exploit - Exploit detection rules
  • Suspicious - Suspicious behavior patterns
  • PUA - Potentially Unwanted Applications
  • Custom - User-defined categories

Usage Examples

Create a Malware Detection Rule

POST /api/malware-rules
{
  "name": "Suspicious_PowerShell_Commands",
  "description": "Detects suspicious PowerShell command patterns",
  "ruleContent": "rule Suspicious_PowerShell {\n  strings:\n    $a = \"Invoke-Expression\" nocase\n    $b = \"DownloadString\" nocase\n  condition:\n    any of them\n}",
  "category": "Malware",
  "author": "Security Team",
  "isEnabled": true,
  "priority": 75,
  "threatLevel": "High",
  "mitreTechniques": ["T1059.001"],
  "tags": ["powershell", "suspicious", "command-execution"]
}

Filter Rules by Category

GET /api/malware-rules?category=Ransomware&enabled=true

Test Rule Against Content

POST /api/malware-rules/test
{
  "ruleContent": "rule Test { strings: $a = \"malware\" condition: $a }",
  "testContent": "This content contains malware signatures"
}

Tailwind Dashboard Interface

Malware Detection Rules Management (/malware-rules)

  • List View - Paginated rule listing with advanced filtering by category, threat level, validation status
  • Show View - Detailed rule information with syntax highlighting and performance metrics
  • Create View - New rule creation with validation and MITRE technique mapping
  • Edit View - Rule modification with real-time validation feedback
  • Visual Indicators - Color-coded threat levels and validation status chips

YARA Matches History (/yara-matches)

  • Detection Timeline - Chronological view of all YARA detections
  • Match Analysis - Detailed forensic information for each detection
  • String Matching - Hex/text analysis of matched patterns
  • Rule Correlation - Link detections back to specific malware detection rules
  • Performance Tracking - Scan duration and execution metrics

Key UI Features

  • Color-coded threat levels (Critical=Red, High=Orange, Medium=Blue, Low=Green)
  • Validation status indicators with success/error chips
  • MITRE ATT&CK technique integration with chip display
  • Performance metrics display (match count, execution time)
  • Monospace syntax highlighting for malware detection rule content
  • Advanced filtering by category, threat level, validation status

Rule Metrics

Each rule tracks comprehensive metrics:

  • Hit Count - Number of successful matches
  • False Positive Count - Reported false positives
  • Average Execution Time - Performance metrics from native scanning
  • Last Match - Timestamp of most recent match
  • Validation Status - Real-time dnYara compilation results
  • Version History - Rule modification tracking

Security Features

Authentication

All YARA API endpoints require JWT authentication:

Authorization: Bearer <jwt-token>

Validation

  • Syntax Validation - Basic malware detection rule syntax checking
  • Content Validation - Rule content and metadata validation
  • Permission Checks - Role-based access control

Audit Trail

  • Rule creation, modification, and deletion logging
  • Match result tracking with timestamps
  • False positive incident recording
  • Performance metric collection

Integration

Dependencies

<PackageReference Include="dnYara" Version="2.1.0" />
<PackageReference Include="dnYara.NativePack" Version="2.1.0.3" />

Service Registration

// Program.cs
builder.Services.AddSingleton<IYaraRuleStore, FileBasedYaraRuleStore>();

Production Status

  • Backend Integration: Native dnYara 2.1.0 with real malware scanning
  • Frontend Interface: Complete Tailwind Dashboard UI with advanced features
  • API Coverage: Full REST API for all YARA operations
  • Performance: Thread-safe, optimized scanning with metrics
  • Security: JWT authentication, audit trails, validation
  • Documentation: Comprehensive API and user documentation

Future Enhancements

  • Real-time Scanning - Integration with file system monitoring
  • Memory Scanning - Process memory analysis with malware detection rules
  • Pipeline Integration - Automatic rule execution on security events
  • Community Rules - Import/export capabilities for rule sharing
  • Bulk Operations - Import/export multiple rules

Resources