Understanding YARA Rules

Create Strings and Conditions in the YARA Rule Basic Editor

All PhishER rules must follow Yet Another Recursive/Ridiculous Acronym (YARA) rule logic to disposition messages. In your PhishER platform, you can use the Basic Editor to create strings and conditions for your YARA rules instead of writing all of the YARA rule logic manually.

For more information about writing YARA rules, visit our How to Write YARA Rules article.

You can create a string by declaring a variable and then setting a value for that variable. In the Basic Editor, each new string contains a preset variable, and you must enter a value for that variable.

To create strings in the Basic Editor, follow the steps below:

  1. Log in to your PhishER platform.
  2. From the sidebar on the left side of the page, select the Rules tab to open the Rules List page.
  3. Click the New Rule button at the top-right corner of the page to open the Rule Details page.
  4. Complete the top section of the Rule Details page. For more information about the fields on this page, visit our How to Create and Manage PhishER Rules article.
  5. In the Create Strings section, enter a value for the string.
    Note:Values must include ASCII characters only. For more information about ASCII characters, visit this ASCII web page.

  6. (Optional) If you would like to use a global variable, click the globe drop-down icon. From the drop-down menu that opens, select the name of the global variable you want to use. For more information about global variables, see the Using Global Variables section of our How to Create and Manage PhishER Rules article.

  7. (Optional) If you would like to create additional strings, click the New String button. Then, enter values for the new strings.
    Note:You can create up to five strings for each rule.

Once you've created at least one string, you'll need to create conditions for your rule. For more information, visit the section of this article below.

After you create at least one string, you can create conditions for your rule. Conditions allow you to specify what messages you want your rule to affect. When you create conditions for your rule, you can choose from three options. For more information about these options, see the screenshot and list below:

  1. Match any of the defined strings: Select this option to detect messages that match any of your defined strings.
  2. Match all of the defined strings: Select this option to detect messages that match all of your defined strings.
  3. Custom conditions: Select this option to detect messages that match your custom conditions. For more information about custom conditions, visit the subsection of this article below.

Creating Custom Conditions in the Basic Editor

You can create up to five custom conditions for each rule. To create custom conditions, write expressions using your strings and logical operators. When you create custom conditions, you must use all of the strings you created for the rule.

To create a custom condition, follow the steps below:

  1. On the Rule Details page, create the strings that you need for your custom condition.
  2. In the Create Conditions section of the page, select Custom conditions.

  3. From the Choose string drop-down menu, select one of the strings you created.

  4. To add another string to the condition, click the Add drop-down menu.

  5. From the Add drop-down menu, select one of the options listed below:
    • and: Select this option if the rule should detect messages that match both strings.
    • or: Select this option if the rule should detect messages that match either strings or both strings.
    • and not: Select this option if the rule should detect messages that match the existing string but do not match the string being added.
  6. After you select an option from the Add drop-down menu, the Choose string drop-down menu will display. From this drop-down menu, select a string.

  7. Repeat steps 4-6 until you have added all the strings that you need for the condition.

After you have created your first condition, you can create up to four additional conditions for your rule. To create a new condition, follow the steps below:

  1. To add another condition, click the New Condition Group drop-down menu.

  2. From the drop-down menu, select one of the options listed below:
    • and: Select this option if the rule should detect messages that match both conditions.
    • or: Select this option if the rule should detect messages that match either or both conditions.
    • and not: Select this option if the rule should detect messages that match the existing condition but do not match the condition you are adding.
  3. In the new condition section, select the strings needed for your condition and select how they should relate to each other.
  4. Repeat steps 1-3 until you have added all the conditions that you need for the rule.
  5. Click Save Rule to save your rule.

To view an example of custom conditions, see the screenshot and details below:

In this screenshot, the following three strings were created: “.pdf”, “.htm”, and “.exe”. The three strings were used to create two custom conditions that must be met for the rule to detect a message. To be detected by this rule, a message would need to either include both “.pdf” and “.htm” or include “.exe” only.

Can't find what you're looking for?

Contact Support