Huorong Advanced Threat Protection Rules

Posted Jul 15, 2022 Updated Jul 15, 2022

By Jerry Lin 2 min read

Introduction

Huorong Advanced Threat Protection Rules are written based on MITRE ATT\&CK™ and malware behavioral characteristics. It can detect, block and intercept all kinds of malware, Advanced Persistent Threat (APT) attack vectors and attack paths, such as fileless attacks, exploit attacks, crypto-ransomware, etc. It is also highly scalable, maintainable and community developer friendly.

Install/Import rules

Download the latest rule version, unzip the file to get Rule.json, Auto.json. Open the main interface of Huorong -> Protection Center -> Advanced Protection -> Custom Rules, click the switch to enable, click the item -> Enter the advanced protection settings, in the custom rule settings interface -> Import -> Select Rule.json and in the Automatic processing settings interface -> Import -> Select Auto.json.

Please manually delete the old rules and re-import them when you update to a new version.

Beginner’s Guide

Import the rules as shown in this figure.

To prevent false positives, some rules are not enabled by default, please read the rule document and then choose to enable them.

Rules Content

MS Office Vulnerability Attack Protection
Ransomware Protection
Fileless Attack Protection
Popular Malware Family Threat Prevention
… See the rule documentation for details

Rules Directory

All rules are located in the rules/ directory, with subfolders representing different rule groups, named after the threat category. Behavior descriptions/virus families are named, e.g. Exploit.MSOffice.

Each subdirectory contains the rule files rule.json, auto.json, which are the rule file for the current rule group and the corresponding auto processing file. Each rule is named after the current rule group group name + letter, e.g. Exploit.MSOffice.

The specific purpose of each rule can be found in README_en_us.md under each rule group folder, or in the root directory of Rules.

The directory structure is as follows

.
├── Classification.Description1
├── Classification.Description2
│   ├── rule.json
│   ├── auto.json
│   └── README.md
└── README.md

Automation Scripts

Located in the scripts/ directory, it is used to automatically check the rule file format, export/merge all rule groups, generate rule description documents, etc. and is limited to this rule directory structure.

validate_rules.py - Validation rules file, based on this schema

usage: validate_rules.py [-h] --path PATH

optional arguments:
  -h, --help   show this help message and exit
  --path PATH  folder path to check

merge_rules.py - Combine rules into one file for easy import.

usage: merge_rules.py [-h] --path PATH --output OUTPUT

optional arguments:
  -h, --help       show this help message and exit
  --path PATH      rule folder path to merge
  --output OUTPUT  output folder path

md_parser. py - Generate rule files.

usage: md_parser.py [-h] --path PATH

optional arguments:
  -h, --help   show this help message and exit
  --path PATH  rule folder path to generate markdown

Changelog

See the release log for details

TO-DO: Add changelog.md

Feedback/Contribution

Make sure you read the contributing guidelines before opening Issues or PR.

View Project

Project, Antivirus

This post is licensed under CC BY 4.0 by the author.