YARA is like a Swiss Army knife for cybersecurity. It’s a powerful tool used for malware detection and classification. This allows cyber defenders to identify, tag and, ultimately, protect against a variety of cyber threats.

Creating YARA Signatures

Creating a YARA signature isn’t hard. You just need a bit of patience, focus, and our simple guide. Let’s dive right in!

Step 1: Understand Your Threat

Before we start, remember: you need to know what you’re up against. You should have a malware sample and understand its behaviors, indicators, and patterns. You can’t create a signature for something you don’t know!

Step 2: Install YARA

First things first, you need to have YARA on your computer. If it’s not installed, you can download it from the official YARA project page. Follow the instructions given, and you’ll be ready to go.

Step 3: Start Writing Your Rule

Now it’s time to create your signature. Start a new text file – this will be your YARA rule. Every YARA rule has two key sections: the rule declaration and the rule body.

In the rule declaration, name your rule. This should be short and descriptive, like “Tricky_Trojan“.

The rule body is where the magic happens. This section defines what the rule should look for. This can be anything from a string of text to a particular sequence of bytes.

A simple rule looks like this:

rule Tricky_Trojan
{
    strings:
        $my_text_string = "Bad Trojan"
        $my_hex_string = { E2 34 F1 12 }

    condition:
        $my_text_string or $my_hex_string
}

In this example, the rule searches for either the text “Bad Trojan” or the hex string “E2 34 F1 12”.

Step 4: Test Your Rule

Now that you have your rule, it’s time to test it. You can do this by using the ‘yara’ command followed by the name of your rule file and the file you want to scan.

If the rule works, you’ll see your rule name and the file that matched. If not, go back and check your rule. Maybe you missed something?

Step 5: Keep Learning

Creating YARA rules isn’t a one-and-done deal. Threats evolve, so your rules should, too. Stay informed about new threats, tweak your rules as needed, and keep your YARA skills sharp.

In no time, you’ll be a pro at creating effective YARA signatures. Remember, with YARA, you’re not just reacting to threats. You’re actively hunting them down. Happy cyber hunting!

YARA Templates

Here are some code templates for different scenarios:

Hexadecimal Match

Detect files that contain a specific hexadecimal sequence.

rule Hex_Match
{
    strings:
        $hex_string = { E2 34 F1 12 }

    condition:
        $hex_string
}

URL Match

Detect files that contain a specific URL.

rule URL_Match
{
    strings:
        $url_string = "www.malicious-url.com"

    condition:
        $url_string
}

Domain Match

Detect files that contain a specific domain.

rule Domain_Match
{
    strings:
        $domain_string = "malicious-domain.com"

    condition:
        $domain_string
}

Hash Match

Detect files that have a specific hash.

rule Hash_Match
{
    strings:
        $hash_string = "5D41402ABC4B2A76B9719D911017C592" // example MD5 hash of hello

    condition:
        $hash_string
}

Specific Strings Match

Detect files that contain specific strings.

rule Strings_Match
{
    strings:
        $string1 = "bad string 1"
        $string2 = "malicious string 2"
        $string3 = "trojan string 3"

    condition:
        $string1 or $string2 or $string3
}

Remember, these are basic templates. You can modify them as per your needs, adding more conditions, more strings, or even making your conditions more complex. Tailor them to suit the threats you’re facing!

YARA conditions

YARA provides a broad range of condition modifiers and logical operators that you can use to precisely define your rule conditions. Here are the most commonly used condition items:

Logical Operators:

• and: both conditions must be true
• or: at least one condition must be true
• not: negates the condition that follows it

Comparison Operators:

• ==: equal to
• !=: not equal to
• <: less than
• <=: less than or equal to
• >: greater than
• >=: greater than or equal to

Count Operators:

• YARA allows you to check the number of times a specific string is matched.

rule Example
{
    strings:
        $a = "bad string"

    condition:
        #a > 5  // The string 'a' is matched more than 5 times
}

Position Operators:

• You can check the position of a match using ‘at’ and ‘in’.

rule Example
{
    strings:
        $a = "bad string"

    condition:
        $a at 100 // The string 'a' is found at position 100
}

rule Example
{
    strings:
        $a = "bad string"

    condition:
        $a in (100..200) // The string 'a' is found between positions 100 and 200
}

Filesize:

• YARA can check the size of the file.

rule Example
{
    condition:
        filesize < 5MB
}

For-loop:

• YARA supports for-loop, which is often used with arrays.

rule Example
{
    strings:
        $a = {01 23 45 67 89} // example byte sequence

    condition:
        for any i in (1..#a): ( $a[i] at (@a[i] - 100) )
        // checks if the same byte sequence appears within 100 bytes of the original appearance
}

Of:

• You can use ‘of’ to specify the number of strings that must be found.

rule Example
{
    strings:
        $a = "string 1"
        $b = "string 2"
        $c = "string 3"

    condition:
        2 of ($a,$b,$c) // At least 2 of the 3 strings must be found
}

These condition items, when used wisely, can help create powerful and precise YARA rules. Keep in mind, this list is not exhaustive and there are other advanced options available as well.

Find them here:

• YARA documentation: Conditions
• YARA Conditions cheatsheet (.csv file)

YARA Rule Creator

The YARA Rule Creator on Cyberwarzone is an intuitive online tool that lets you swiftly generate simple YARA rules using an easy-to-use form.

Done reading? Continue with our list of 25 open source cyber security tools.