> For the complete documentation index, see [llms.txt](https://security.andreasbreum.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://security.andreasbreum.com/blue-team/yara.md).

# Yara

Yara is a tool used for identifying and classifying files based on patterns or rules defined by the user. It is often used in malware analysis and detection, but can be used to identify any kind of file based on a set of defined criteria.

Pre made Yara rules can be found [here](https://github.com/InQuest/awesome-yara)

## Basics

All `yara` command requires two arguments to be valid, these are:

1. The rule file we create
2. Name of file, directory, or process ID to use the rule for.

Say we want to analyse some file *somefile* with the Yara rule *myYaraRule.yar*

We can create a simple rule that is always true and execute it on *somefile* like this.

<pre class="language-bash"><code class="lang-bash">$ cat myYaraTule.yar 
rule someRule{
<strong>    condition: true
</strong>}
$ yara myYaraTule.yar somefile 
someRule somefile
</code></pre>

## Anatomy of Yara rules

[Documentation](https://yara.readthedocs.io/en/stable/writingrules.html)

<figure><img src="/files/bAn4XIN91em0cV0kCmo5" alt=""><figcaption><p>Credits: fr0gger_</p></figcaption></figure>

### Meta

Descriptive information by the author of the rule, similar to code comments. We can e.g. use the `desc` for description of the rule.

### Strings

Used to define strings that can be used as a condition. For example, the rule below will find all files containng the string "Hello World!"

```
rule helloworld_checker{
	strings:
		$hello_world = "Hello World!"

	condition:
		$hello_world
}
```

### Conditions

We can use `any of them` to match e.g. multiple strings.

Conditions also support `and, not, or` and `<= >= !=`

The example below checks for the string "Hello World!" and only matches if the file size is less than 10KB

```
rule helloworld_checker{
	strings:
		$hello_world = "Hello World!" 
        
        condition:
	        $hello_world and filesize < 10KB 
}
```

## yarGen

While it is nice to know how to generate Yara rules, it is way easier to just use [yarGen](https://github.com/Neo23x0/yarGen).

Always update before use with `python3 yarGen.py --update`

To use `yarGen` to create a rule for a file *file1*:

{% code overflow="wrap" lineNumbers="true" %}

```bash
python3 yarGen.py -m ./file1 --excludegood -o ./ 
```

{% endcode %}

* `-m` is the path to the files you want to generate rules for
* `--excludegood` force to exclude all goodware strings (*these are strings found in legitimate software and can increase false positives*)
* `-o` location & name you want to output the Yara rule

It might be a good idea to read trough the rule and remove strings that will generate to many false positives.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://security.andreasbreum.com/blue-team/yara.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.