PolySwarmPolySwarmPolySwarmPolySwarm
Go to PolySwarm
Home

Hunting

On the Hunt page in the PolySwarm UI, we support Live and Historical Hunting using YARA Rulesets. A YARA Ruleset is a text file, traditionally having the .yar extension, that contains one or more YARA rules. Some people refer to the file as a YARA Rules file.

Yara Rules

When performing Live or Historical Hunting, Artifacts are processed by the YARA tool according to the YARA rules contained in the active YARA Ruleset. Writing YARA rules is explained in-depth in the YARA documentation. And there are example YARA Rules in the Yara-Rules GitHub repository.

Yara Rulesets are managed on the Hunt page’s Rulesets tab.

Adding Rulesets

If you have not added the Ruleset, there is a large “Add Rulesets” button on the Rulesets tab to add your first Ruleset. If you’ve already added one or more rulesets, there is a “+” button to add additional Rulesets.

All Rulesets need a Name. The Description field is optional, but can be helpful to remember details about your rules. And finally there is the large text box to enter the YARA Rules.

You have 2 options to enter the Rules:

  1. You can paste your Rules into the large text box.
  2. You can click the small “+” button in the lower right corner of the large text box to select a YARA Ruleset file from your computer to upload as your Ruleset.

Click the Save button to save the Ruleset.

Validating Rulesets

When one or more Rules have been entered into the large Rules text box, the button in the bottom right changes from a “+” button to a “Validate” button. Click the Validate button to validate the syntax of your Ruleset. If you click outside of the Rules area after entering rules, the validation will automatically run for you. Once you have a valid Ruleset, click the Save button to save it.

Viewing / Editing Rulesets

You can view and edit an existing Ruleset by clicking on the pencil button in the Actions column and selecting View/Edit.

Copying Rulesets

You can copy an existing Ruleset by clicking on the pencil button in the Actions column and selecting Duplicate.

Deleting Rulesets

You can delete an existing Ruleset by clicking on the trash can button in the Actions column.

Running a Ruleset

You can start a Live Hunt or Historical Hunt by clicking on the run button in the Actions column and selecting “Run Live Hunt” or “Run Historical Hunt”. When a Live Hunt is started on the Rulesets tab, you will be brought to the Live Hunting tab.

It is important to note that when Running a Hunt, the Ruleset is copied to that active Hunt. So, when making changes to a Ruleset, you need to Run a new Hunt to use the modified Ruleset.

Live Hunting

Live Hunting is a technique to use YARA Rules to examine new artifacts as they are submitted.

The Live Hunting tab shows each Live Hunt that has been run, including any that are currently running. The Live Hunt that is currently running will have an “Active” status. The list of Live Hunts is a collection of rows where each row includes the Name of the Ruleset used for that Hunt, the date the hunt was started, the number of results for that hunt, the status of the hunt, and some action buttons. The “eye” action button allows you to view the Ruleset for that hunt and the trash can button allows you to delete the Hunt and its results.

Viewing Live Hunting Results

Clicking on the row for a Hunt will expand the row to show the list of results. Each Result row contains the SHA-256 Hash, the date the artifact was first seen, its mimetype, and a button to enable downloading of that artifact.

Deleting a Live Hunt

To delete a Live Hunt, click on the “trash can” button in the Action column at the right side of the row. This will delete the Hunt and all of the results in that hunt.

Historical Hunting

Historical Hunting is a technique to use YARA Rules to examine the collection of all artifacts that were previously submitted over the past 6 months.

The Historical Hunting tab shows each Historical Hunt that has been run, including any that are currently running. The list of hunts is a collection of rows where each row includes the Name of the Ruleset used for that Hunt, the date the hunt was started, the number of results from that hunt, the status of the hunt, and some action buttons. The “eye” action button allows you to view the Ruleset for that hunt and the trash can button allows you to delete the hunt and its results.

Viewing Historical Hunting Results

Clicking on the row for a Hunt will expand the row to show the list of results. Each Result row contains the SHA-256 Hash, the date the artifact was first seen, its mimetype, and a button to enable downloading of that artifact.

Deleting a Historical Hunt

To delete a Historical Hunt, click on the “trash can” button in the Action column at the right side of the row. This will delete the Hunt and all of the results in that hunt.