What is YARA?
Yet Another Recursive/Ridiculous Acronym (YARA) is a tool used to identify and classify malware samples. YARA identifies and classifies malware based on custom rules created in your PhishER platform. A rule is a description based on textual or binary patterns. A rule’s description can be broken down into three sections:
- Meta
- Strings
- Condition
Together, these sections determine a rule’s logic. At a minimum, every rule must have a condition section. You may omit the meta or strings section if not needed.
Writing YARA Rules
- Add your rule identifier.
- Every YARA rule has to be declared by using the keyword rule followed by an identifier, or unique name you would like to give your rule. Rule identifiers are case sensitive and cannot include spaces or start with a numerical value. Some keywords are reserved and cannot be used as an identifier.
- Every YARA rule has to be declared by using the keyword rule followed by an identifier, or unique name you would like to give your rule. Rule identifiers are case sensitive and cannot include spaces or start with a numerical value. Some keywords are reserved and cannot be used as an identifier.
- Add your meta: section.
- The meta section can be used to provide comments or details about your rule. If you have multiple admins writing or editing YARA rules in PhishER, it may be helpful to use the meta section as an internal changelog. Note: Information provided under meta will not be used for any variation of malware detection.
- The meta section can be used to provide comments or details about your rule. If you have multiple admins writing or editing YARA rules in PhishER, it may be helpful to use the meta section as an internal changelog. Note: Information provided under meta will not be used for any variation of malware detection.
- Add your strings: section.
- The strings section is where you can declare a variable and set its value. Each variable is indicated using the $ sign followed by the variable name. Similar to the rule identifier, a variable is case sensitive and cannot include spaces or start with a numerical value.
- The strings section is where you can declare a variable and set its value. Each variable is indicated using the $ sign followed by the variable name. Similar to the rule identifier, a variable is case sensitive and cannot include spaces or start with a numerical value.
- Add your condition: section.
- The condition section is used to express what you want your rule to detect. This is done by writing an expression using logical operators. Keep in mind, the condition must include all of your strings.
Note:
This is a brief overview of YARA rules to get you started with PhishER. Visit here for full YARA documentation.
- The condition section is used to express what you want your rule to detect. This is done by writing an expression using logical operators. Keep in mind, the condition must include all of your strings.
Comments
0 comments
Article is closed for comments.