Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

You can adjust all of your cookie settings by navigating the tabs on the left hand side.

Cookie Name Accept
GDPR PRO - General Data Protection Regulation - ALL in 1 This modules helps the site to become GDPR Compliant by adding the law compliant features.
Cyklon Storefront
How Can I Use FireEye’s Countermeasures effectively?

On the 8th of December (yesterday at the time of writing) FireEye, a well-known cybersecurity company, informed the public via their blog that a state-sponsored actor stole FireEye’s Red Team Tools. In the cybersecurity world, simulations and war-game exercises are used to test and improve an organisation’s security posture and defence capabilities. The offensive team are referred to as the Red Team, while the Blue Team defend against Red Team attacks.

Introduction to the FireEye Red Team Tool Countermeasures

As mentioned in FireEye’s ‘red_team_tool_countermeasures’ GitHub repository, the rules are disseminated in four different languages – Snort, Yara, ClamAV and HXIOC. So your (or your organisation’s) needs will depend on the current production environment or which tool you wish to install/use. Your organisation may only be using one of these tools, or they could be using all. I will give a brief overview of all the languages so those not familiar have a basic understanding of the syntax and requirements for each.

General information

If you are tasked with managing an organisation’s firewall and IDS/IPS rules, you will need to curate FireEye’s Tool Countermeasures. The countermeasure tools have been organised by FireEye into the following status categories:

  • Production
  • Supplemental
  • New

Regardless of which ruleset is best suited to your environment (Snort, Yara, ClamAV or HXIOC), it is still necessary to pick the subset of rules to match both your operating environment as well as the threat level / risk. In most cases, the ‘production’ rules will be sufficient, but if you are a Cybersecurity Analyst or similar it will be necessary to match the rules depending on your organisation’s needs. The ‘supplementary’ rules are likely to require further testing and fine-tuning to minimise their impact on normal business operations – let’s remember we need to keep CIA (Confidentiality, Integrity, Availability) in check! The ‘new’ rules are not specifically mentioned by FireEye, however we can assume these rules will also require testing and fine-tuning similar to ‘supplemental’.

FireEye have a list of CVEs (Common Vulnerabilities and Exposures) ranked by their NVD (National Vulnerability Database) Base Score – 10 being most critical, 0 being completely benign. FireEye’s curated CVE list can be found here. I recommend working your way down the list collecting the rules as you go down the list.



Snort is a great and (relatively) easy to use Intrusion Prevention System (IPS) provided by Cisco. Snort is open source and have free as well as paid subscription options for accessing their rulesets. It is a requirement to sign up even for the free tier rules (not to be confused with the ‘Community’ tier rules), as Snort provide an API key, called an ‘Oinkcode’ for downloading the rulesets. If you are thinking about using Snort you can register here. The main benefits of using the registered and paid subscription options are:

  • Receive updated rules 30 days before the free tier
  • Rule categories
  • Shared object rules (rules written in “C”), providing
    • - More advanced detection that aren’t possible using ‘regular’ Snort rules
    • - Detection obfuscation for use in ‘classified’ environments where methods of detection need to be concealed


Snort is very easy to install using the Arch, Red Hat or Debian Linux distributions such as Ubuntu. Using the Package Manager is the easiest and recommended method of installing Snort. Snort can be compiled from source, however, unless you require extra debugging features there is really no benefit. To install Snort use the following:

For Ubuntu:

apt install snort

Which will install the following dependencies:

libdaq2 libdumbnet1 oinkmaster snort-common snort-common-libraries snort-rules-default

For Red Hat and Arch based distributions, substitute ‘apt’ for ‘yum’ and ‘pacman’ commands respectively. I will not run through initial configuration in detail as this guide is specifically for using the FireEye rules. Once you have a crafted list of Snort rules, you can copy them from here and paste them into your Snort configuration (/etc/snort/rules).

Note: If you are using Suricata it is possible to use the Snort rules by changing the syntax, see here.


YARA is a tool used primarily by malware researchers and can be used in collaboration with Cuckoo and Magic through (and other) modules. Cuckoo Sandbox analyses malware and then outputs a lot of detail about its execution in the form of JSON. Magic on the other hand judges files by their output (type() and mime_type() discovery). This can be very useful, for example, if a malicious actor changes the extension of a file or otherwise attempts to obfuscate the type of file through other means. This section will be intentionally brief because if you are using YARA you will no doubt already know how to import and tailor rules to your particular environment. The basic syntax of YARA rules is as follows:

rule dummy

Very reminiscent of C syntax.



ClamAV is antivirus software that has the ability to detect a large variety of malicious threats. It is open source and has decent community support. ClamAV can be installed on Linux, OSX as well as Windows. For Linux (Debian-based / Ubuntu):

apt-get update
apt-get install clamav

The commands will change depending on your distribution, see here for your distribution or operating system. Some require slightly different commands / packages depending on the distribution.

Note: YARA rules can also be used with ClamAV, though with some caveats. Just be aware YARA modules are not officially supported by ClamAV so you may run into some issues with imports and YARA specific keywords. For a list of all the caveats, see here.

There are a few options for importing signature databases into ClamAV, dependent on the operating system as well as how you want to import the signatures. ClamAV databases are located in:




"C:\Program Files\ClamAV\database"

ClamAV database files can simply be copied into these folders to have them included. Alternatively, the following configuration option can be used:

clamd DatabaseDirectory

OR the database file can be called during the execution of a scan using:

clamscan -d


If you choose the last option mentioned above you have to be aware of a few of things:

  • It will only use the database file signatures called with the '-d' option
  • Some ClamAV functionality will be limited or disabled for that scan, i.e. ClamAV ‘unpacking’ support could be disabled
  • Whitelist options based upon ‘Authenticode’ signatures will also not work.

For more details, see here.


If you are a person viewing IoCs (Indicator of Compromise) then chances are you won’t need much information! For everyone else...


IoCs are generated post-incident and can be used in forensics as well as incident response procedures. The extension .ioc is an XML document and can be viewed using any XML-capable editor, or using specialised IoC editor software. The main difference between a traditional editor and IoC editors is the latter will split the document into different windows for easier viewing. If you want to try it yourself, download any .ioc file from FireEye’s ‘red_team_tool_countermeasures’ GitHub repository and open it in any text editor and you will it is encoded in XML!

Featured image by Michael Geiger on Unsplash

Comments (0)

No comments at this moment

New comment


You can try some popular tags here:


No account?
Create an Account