Certified Ethical Hacker (CEH v12) — Question 177

An organization has been experiencing intrusion attempts despite deploying an Intrusion Detection System (IDS) and Firewalls. As a Certified Ethical Hacker, you are asked to reinforce the intrusion detection process and recommend a better rule-based approach. The IDS uses Snort rules and the new recommended tool should be able to complement it. You suggest using YARA rules with an additional tool for rule generation. Which of the following tools would be the best choice for this purpose and why?

Answer options

• A. yarGen - Because it generates YARA rules from strings identified in malware files while removing strings that also appear in goodware files
• B. Koodous - Because it combines social networking with antivirus signatures and YARA rules to detect malware
• C. YaraRET - Because it helps in reverse engineering Trojans to generate YARA rules
• D. AutoYara - Because it automates the generation of YARA rules from a set of malicious and benign files

Correct answer: A

Explanation

The correct answer is A, yarGen, as it specifically generates YARA rules by focusing on strings found in malware while excluding those found in benign files, making it highly effective for targeted detection. Options B, C, and D, while useful in their own right, do not provide the same level of specificity and effectiveness in generating rules tailored for intrusions as yarGen does.