Certified Ethical Hacker (CEH v13) — Question 153

An organization has been experiencing intrusion attempts despite deploying an Intrusion Detection System (IDS) and Firewalls. As a Certified Ethical Hacker, you are asked to reinforce the intrusion detection process and recommend a better rule-based approach. The IDS uses Snort rules and the new recommended tool should be able to complement it. You suggest using YARA rules with an additional tool for rule generation. Which of the following tools would be the best choice for this purpose and why?

Answer options

• A. yarGen - Because it generates YARA rules from strings identified in malware files while removing strings that also appear in goodware files
• B. Koodous - Because it combines social networking with antivirus signatures and YARA rules to detect malware
• C. YaraRET - Because it helps in reverse engineering Trojans to generate YARA rules
• D. AutoYara - Because it automates the generation of YARA rules from a set of malicious and benign files

Correct answer: A

Explanation

The correct answer is A because yarGen specifically focuses on creating YARA rules by analyzing strings in malware while excluding those found in legitimate software, enhancing detection accuracy. Options B, C, and D, while useful, do not provide the same targeted rule generation capability that directly complements Snort rules as effectively as yarGen does.