Writing YARA Rules
PhishER uses rules with Yet Another Recursive/Ridiculous Acronym (YARA) logic to disposition and tag the messages that are forwarded to your PhishER Inbox. YARA is a tool used to identify and classify malware samples. You can write custom rules using YARA logic. For general information about creating rules in PhishER, see our How to Create and Manage PhishER Rules article. To help you get started with YARA rules, see our list of common use cases and rules in our Use Cases for YARA Rules article.
To learn how to write custom rules using YARA logic, see the subsections below.
Using YARA Logic
Using YARA Logic
A YARA rule is a logical expression with a description based on textual or binary patterns. A rule begins with a rule identifier, and a rule’s description contains three sections: the meta, the strings, and the condition. These sections determine how a rule works.
Start every YARA rule using the keyword rule followed by an identifier. An identifier is a unique name for your rule. Rule identifiers are case sensitive, cannot include spaces or start with a numerical value, and cannot include any of the keywords listed in YARA's Writing YARA Rules documentation.
Next, you can include a meta section to add comments or details about your rule. If you have multiple admins writing or editing YARA rules in PhishER, it can be helpful to use the meta section as an internal change log.
In the strings section, declare a variable and set its value. Each variable is indicated by the $ sign followed by the variable name. Variables are case sensitive and cannot include spaces or start with a numerical value.
In the condition section, write an expression using logical operators to indicate what you would like your rule to detect. Every rule must have a condition section, and the condition must include all of your strings.