What is YARA?
Yet Another Recursive/Ridiculous Acronym (YARA) is a tool used to identify and classify malware samples. YARA identifies and classifies malware based on custom rules created in your PhishER platform. A rule is a description based on textual or binary patterns. A rule’s description can be broken down into three sections:
- Meta
- Strings
- Condition
Together, these sections determine a rule’s logic. At a minimum, every rule must have a condition section. You may omit the meta or strings section if not needed.
You can create a YARA rule using either the Basic Editor or the Advanced Editor. The Basic Editor guides you through creating a rule. The Advanced Editor allows you to write the logic of your YARA Rule without guidance. For more information about using the Basic Editor and Advanced Editor, see our Creating Rules and Actions in PhishER article.
Note: You can write custom rules using YARA logic to disposition emails in your PhishER inbox. However, it's important to note that YARA rules do not work retroactively. This means that all messages forwarded to PhishER prior to the rule being enabled will not be affected.
Writing YARA Rules
Below is a brief overview of YARA rules to help get you started with PhishER. For full YARA documentation, please visit the YARA's Documentation.
PhishER currently supports version 4.1.2 of YARA.
- Add your rule identifier.
- Every YARA rule has to be declared by using the keyword rule followed by an identifier, or unique name you would like to give your rule. Rule identifiers are case sensitive and cannot include spaces or start with a numerical value. Some keywords are reserved and cannot be used as an identifier.
Note: YARA only supports ASCII characters. The use of non-ASCII characters in your rule will prevent your rule from saving.
- Every YARA rule has to be declared by using the keyword rule followed by an identifier, or unique name you would like to give your rule. Rule identifiers are case sensitive and cannot include spaces or start with a numerical value. Some keywords are reserved and cannot be used as an identifier.
- Add your meta: section.
- The meta section can be used to provide comments or details about your rule. If you have multiple admins writing or editing YARA rules in PhishER, it may be helpful to use the meta section as an internal changelog. Information provided under meta will not be used for any variation of malware detection.
- The meta section can be used to provide comments or details about your rule. If you have multiple admins writing or editing YARA rules in PhishER, it may be helpful to use the meta section as an internal changelog. Information provided under meta will not be used for any variation of malware detection.
- Add your strings: section.
- The strings section is where you can declare a variable and set its value. Each variable is indicated using the $ sign followed by the variable name. Similar to the rule identifier, a variable is case sensitive and cannot include spaces or start with a numerical value.
Note: If you’re using a global variable in your rule, enter the value of the global variable as it is displayed in the rules list under Rules > Global Variables. Make sure to enter the value within double brackets. For example, [[Variable]]. For more information about global variables, see the Global Variables section of our PhishER Product Manual.
- The strings section is where you can declare a variable and set its value. Each variable is indicated using the $ sign followed by the variable name. Similar to the rule identifier, a variable is case sensitive and cannot include spaces or start with a numerical value.
- Add your condition: section.
- The condition section is used to express what you want your rule to detect. This is done by writing an expression using logical operators. Keep in mind, the condition must include all of your strings.
- The condition section is used to express what you want your rule to detect. This is done by writing an expression using logical operators. Keep in mind, the condition must include all of your strings.
Comments
0 comments
Article is closed for comments.