Know the meaning of rule ID 707, 708 and 709 and how they are composed in DDI.
Meaning of DDI rules:
- 707 MALWARE: High Callback to IP address in Virtual Analyzer C&C List.
When this rule is triggered, it means DDI detected an IP connection to C&C server.
- 708 MALWARE: High Malware file hash from Virtual Analyzer feedback.
When this rule is triggered, it means DDI detected a file that was analyzed by Virtual Analyzer before and was determined as high risk malware.
- 709 MALWARE: High Callback to URL in Virtual Analyzer C&C List.
When this rule is triggered, it means DDI detected a URL request to C&C server.
Process of how the rules are composed:
- DDI sends files to Virtual Analyzer (either internal or external).
- The Virtual Analyzer analyzes the received files and then returns a feedback list to DDI. Only files detected as high risk malware will be recorded in the feedback list, the full report for all files are sent seperately.
- DDI receives the feedback list and adds the entries into its database.
- The CAV module in DDI uses the entries in the database and matches it against the following rules:
- 707 - IP/Port information
- 708 - sha1
- 709 - Uniform Resource Locator (URL)