Skip to content

Latest commit

 

History

History
102 lines (63 loc) · 4.58 KB

README_en_us.md

File metadata and controls

102 lines (63 loc) · 4.58 KB

简体中文 | 繁體中文 | English

Huorong Advanced Threat Protection Rules

Status GitHub Issues GitHub Pull Requests License

Huorong Advanced Threat Protection Rules are written based on MITRE ATT&CK™ and malware behavioral characteristics. It can detect, block and intercept all kinds of malware, Advanced Persistent Threat (APT) attack vectors and attack paths, such as fileless attacks, exploit attacks, crypto-ransomware, etc. It is also highly scalable, maintainable and community developer friendly.

Install/Import Rules

Download the latest rule version, unzip the file to get Rule.json, Auto.json. Open the main interface of Huorong -> Protection Center -> Advanced Protection -> Custom Rules, click the switch to enable, click the item -> Enter the advanced protection settings, in the custom rule settings interface -> Import -> Select Rule.json and in the Automatic processing settings interface -> Import -> Select Auto.json.

Please manually delete the old rules and re-import them when you update to a new version.

Getting Started

Import the rules as shown in this figure.

To prevent false positives, some rules are not enabled by default, please read the rule document and then choose to enable them.

Rules Content

Rules Directory

All rules are located in the rules/ directory, with subfolders representing different rule groups, named after the threat category. Behavior descriptions/virus families are named, e.g. Exploit.MSOffice.

Each subdirectory contains the rule files rule.json, auto.json, which are the rule file for the current rule group and the corresponding auto processing file. Each rule is named after the current rule group group name + letter, e.g. Exploit.MSOffice.

The specific purpose of each rule can be found in README_en_us.md under each rule group folder, or in the root directory of Rules.

The directory structure is as follows

.
├── Classification.Description1
├── Classification.Description2
│   ├── rule.json
│   ├── auto.json
│   └── README.md
└── README.md

Build Scripts

Located in the scripts/ directory, it is used to automatically check the rule file format, export/merge all rule groups, generate rule description documents, etc. and is limited to this rule directory structure.

  • validate_rules.py - Validation rules file, based on this schema
usage: validate_rules.py [-h] --path PATH

optional arguments:
  -h, --help   show this help message and exit
  --path PATH  folder path to check
  • merge_rules.py - Combine rules into one file for easy import.
usage: merge_rules.py [-h] --path PATH --output OUTPUT

optional arguments:
  -h, --help       show this help message and exit
  --path PATH      rule folder path to merge
  --output OUTPUT  output folder path
  • md_parser. py - Generate rule files.
usage: md_parser.py [-h] --path PATH

optional arguments:
  -h, --help   show this help message and exit
  --path PATH  rule folder path to generate markdown

Changelog

See the release log for details

TO-DO: Add changelog.md

Feedback/Contribution

Make sure you read the contributing guidelines before opening Issues or PR.