Yara

https://github.com/virustotal/yara

Yara is a tool used for identifying and classifying files based on patterns or rules defined by the user. It is often used in malware analysis and detection, but can be used to identify any kind of file based on a set of defined criteria.

Pre made Yara rules can be found here

Basics

All yara command requires two arguments to be valid, these are:

  1. The rule file we create

  2. Name of file, directory, or process ID to use the rule for.

Say we want to analyse some file somefile with the Yara rule myYaraRule.yar

We can create a simple rule that is always true and execute it on somefile like this.

$ cat myYaraTule.yar 
rule someRule{
    condition: true
}
$ yara myYaraTule.yar somefile 
someRule somefile

Anatomy of Yara rules

Documentation

Credits: fr0gger_

Meta

Descriptive information by the author of the rule, similar to code comments. We can e.g. use the desc for description of the rule.

Strings

Used to define strings that can be used as a condition. For example, the rule below will find all files containng the string "Hello World!"

rule helloworld_checker{
	strings:
		$hello_world = "Hello World!"

	condition:
		$hello_world
}

Conditions

We can use any of them to match e.g. multiple strings.

Conditions also support and, not, or and <= >= !=

The example below checks for the string "Hello World!" and only matches if the file size is less than 10KB

rule helloworld_checker{
	strings:
		$hello_world = "Hello World!" 
        
        condition:
	        $hello_world and filesize < 10KB 
}

yarGen

While it is nice to know how to generate Yara rules, it is way easier to just use yarGen.

Always update before use with python3 yarGen.py --update

To use yarGen to create a rule for a file file1:

python3 yarGen.py -m ./file1 --excludegood -o ./ 
  • -m is the path to the files you want to generate rules for

  • --excludegood force to exclude all goodware strings (these are strings found in legitimate software and can increase false positives)

  • -o location & name you want to output the Yara rule

It might be a good idea to read trough the rule and remove strings that will generate to many false positives.

Last updated