Yara-X + PacketSmith Detection Module A Sneak Peek Introduction Version 5 of PacketSmith, codenamed Pinus strobus , is the result of extensive R&D to add unique, unparalleled features that matter to network detection engineers, SoC analysts, and malware and vulnerability researchers. In this release, we’re showcasing a very powerful new feature in PacketSmith: the integration of Yara-X, a state-of-the-art scanning engine and pattern-matching library. PacketSmith brings the full power of YARA to network traffic analysis. Beyond scanning raw payloads, it exposes deep protocol attributes as nested identifiers within the YARA compiler, enabling rules that target specific network metadata. With versatile filtering, you can tailor your analysis to various data categories—including raw frames, individual TCP/UDP packets, reassembled TCP/UDP streams, and ICMP (v4/v6) payloads. Results are delivered in high-detail via the console, JSON, or XML Workbook format, with the possibility of logging the actual content matches. Netomize is not aware of any other tool on the market that possesses such capabilities. The engine supports cross-layer correlation , allowing you to reference any dissected protocol layer simultaneously within a single YARA condition—integrating data from both packet and frame levels into one logic block. For example, you can check the link layer, the network layer and the transport layer, all in the same rule condition. The official documentation offers in-depth technical specifications alongside advanced, real-world use cases. These examples demonstrate how to leverage PacketSmith’s custom pattern identifiers within YARA-X rules to identify malware C&C traffic and network-based exploitation attempts. Yara-X and PacketSmith, to a pcap, are what an IDS/IPS is to a pcap/live traffic. Protocols Exposed An extensive list of protocols at various network layers has been exposed to provide fine-grained detection capabilities using custom Pattern Identifiers (PaIDs), including: Object Description pcap The pcap object exposes various pcap header metadata as well-defined attributes. stream The stream object provides access to different types of streams, including TCP, UDP and ICMP, at various network layers (IPv4 or IPv6) while supporting traffic directionality. pkt The pkt (packet) object provides well-defined attributes that represent specific metadata from the packet header. ip The ip object is a unified PaID object that exposes the src and dst addresses for both IPv4 and IPv6. Moreover, it provides the capability to check the type of the IP address (private, loopback, cgnat, link_local, relay, multicast,...). ip4 The ip4 object exposes most of the IPv4 header attributes, including flags and checking if the IPv4 layer is an IPv4 in IPv6 encapsulation layer. ip6 The ip6 object exposes most of the IPv6 header attributes, including flags and checks if the IPv6 layer is an IPv6 in IPv4 encapsulation layer. Moreover, all the extensions are exposed via designated pattern identifiers for easier introspection. ll2 The link layer object ll2 . port The port object is a unified PaID that works with both the TCP and UDP layers' PaIDs, depending on which layer exists in the packet. flow The flow is a unified PaID that works with both the TCP and UDP layers' PaIDs, depending on which layer exists in the packet. tcp The tcp object exposes most of the TCP header attributes, including all the TCP flags and the data payload, aan array of options. udp The udp object exposes all the UDP header attributes, including the data payload. icmp4 The icmp4 object exposes most of the ICMPv4 header attributes, including the data payload. icmp6 The icmp6 object exposes most of the ICMPv6 header attributes, including the data payload. dns The DNS object exposes all of the DNS header attributes, including all the queries and responses, using dedicated structure types. It supports both DNS over UDP and DNS over TCP. Case Study In this section, we demonstrate how to leverage the power of the dns object to detect DNS C&C tunnelling traffic in the request and response packets. We’ll take the Denis backdoor , documented publicly by Kaspersky, as an example. MD5 1a4d58e281103fea2a4ccbfab93f74d2 SHA-1 1a2cd9b94a70440a962d9ad78e5e46d7d22070d0 SHA-256 f5872f49943c39b73026fc3982b85330953a138cc27c23487a28103337bfdbb5 File Type Win32 EXE Compiler Microsoft Visual C++ Size 179202 bytes Rather than analyzing the malware’s internal mechanics, this guide focuses on the specific telemetry needed to engineer detection logic. We provide the essential data required to identify DNS-based C&C traffic using PacketSmith’s YARA-X custom PaIDs. The malware’s pcap denis_bkdr_dns (size: 2,292 bytes) is provided herein for reference. Denis’s DNS Query Packet The malware sends a check-in DNS request packet to the server, similar to the following: Figure 1 - Denis Backdoor DNS Query - Check-in Request The exfiltrated data in the query name is base64 encoded using the c...