Understanding YARA Rules

YARA Rules Overview

PhishER uses rules with Yet Another Recursive/Ridiculous Acronym (YARA) logic to disposition and tag the messages that are forwarded to your PhishER Inbox. YARA is a tool used to identify and classify malware samples. You can write custom rules using YARA logic. For general information about creating rules in PhishER, see our How to Create and Manage PhishER Rules article. To help you get started with YARA rules, see our list of common use cases and rules in our Use Cases for YARA Rules article.

Note:PhishER currently supports version 4.1.2 of YARA. For more information, see YARA's Writing YARA rules documentation.

Using YARA Logic

A YARA rule is a logical expression with a description based on textual or binary patterns. A rule begins with a rule identifier, and a rule’s description contains three sections: the meta, the strings, and the condition. These sections determine how a rule works.

Note:Use ASCII characters to write custom rules in PhishER. You cannot create a PhishER rule that contains non-ASCII characters. To learn more about ASCII characters, visit this ASCII web page.

Rule Identifier

Start every YARA rule using the keyword rule followed by an identifier. An identifier is a unique name for your rule. Rule identifiers are case sensitive, cannot include spaces or start with a numerical value, and cannot include any of the keywords listed in YARA's Writing YARA Rules documentation.

Meta

Next, you can include a meta section to add comments or details about your rule. If you have multiple admins writing or editing YARA rules in PhishER, it can be helpful to use the meta section as an internal change log.

Note:The information provided in the meta section is not used for any variation of malware detection.

Strings

In the strings section, declare a variable and set its value. Each variable is indicated by the $ sign followed by the variable name. Variables are case sensitive and cannot include spaces or start with a numerical value.

Note:If you’re using a global variable in your rule, enter the value of the global variable in double brackets. You should enter the value as it is displayed in the rules list under Rules > Global Variables in your PhishER platform. For more information about global variables, see the Using Global Variables section of our How to Create and Manage PhishER Rules article.

Condition

In the condition section, write an expression using logical operators to indicate what you would like your rule to detect. Every rule must have a condition section, and the condition must include all of your strings.

Can't find what you're looking for?

Contact Support