The YARA is designed to help malware researchers identify and classify malware samples.
It’s been called for security researchers and everyone else.
Yara provides an easy and effective way to write custom rules based on strings or byte sequences and allows you to make your own detection tools.
You can create descriptions of malware families based on textual or binary patterns or whatever you want to describe.
This descriptions or rules consists of a set of strings and a boolean expression which determine its logic.
The official website can be found here.
The First you need to install the yara tool under your Linux OS.
I used Fedora 25 distro.
[root@localhost mythcat]# dnf install yara
Last metadata expiration check: 0:49:37 ago on Sun Apr 16 22:23:14 2017.
Dependencies resolved.
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
yara x86_64 3.5.0-7.fc25 updates-testing 191 k
Transaction Summary
================================================================================
Install 1 Package
Total download size: 191 k
Installed size: 861 k
Is this ok [y/N]: y
Downloading Packages:
yara-3.5.0-7.fc25.x86_64.rpm 171 kB/s | 191 kB 00:01
--------------------------------------------------------------------------------
Total 92 kB/s | 191 kB 00:02
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Installing : yara-3.5.0-7.fc25.x86_64 1/1
Verifying : yara-3.5.0-7.fc25.x86_64 1/1
Installed:
yara.x86_64 3.5.0-7.fc25
Complete!
Let test it with the basic command:
[mythcat@localhost ~]$ yara
yara: wrong number of arguments
Usage: yara [OPTION]... RULES_FILE FILE | DIR | PID
Try `--help` for more options
[mythcat@localhost ~]$ yara --help
YARA 3.5.0, the pattern matching swiss army knife.
Usage: yara [OPTION]... RULES_FILE FILE | DIR | PID
Mandatory arguments to long options are mandatory for short options too.
-t, --tag=TAG print only rules tagged as TAG
-i, --identifier=IDENTIFIER print only rules named IDENTIFIER
-n, --negate print only not satisfied rules (negate)
-D, --print-module-data print module data
-g, --print-tags print tags
-m, --print-meta print metadata
-s, --print-strings print matching strings
-e, --print-namespace print rules' namespace
-p, --threads=NUMBER use the specified NUMBER of threads to scan a directory
-l, --max-rules=NUMBER abort scanning after matching a NUMBER of rules
-d VAR=VALUE define external variable
-x MODULE=FILE pass FILE's content as extra data to MODULE
-a, --timeout=SECONDS abort scanning after the given number of SECONDS
-k, --stack-size=SLOTS set maximum stack size (default=16384)
-r, --recursive recursively search directories
-f, --fast-scan fast matching mode
-w, --no-warnings disable warnings
-v, --version show version information
-h, --help show this help and exit
Send bug reports and suggestions to: vmalvarez@virustotal.com .
When you use YARA you can use:- modules - like extensions to YARA’s core functionality;
- external variables;
- including files;
The base of the syntax of a YARA rule set is this:
rule RuleName
{
strings:
$test_string1= "Testing"
$test_string2= {C6 45 ?? ??}
condition:
$test_string1 or $test_string2
}
The words strings and Conditions are two important keywords: strings and condition.
The rule work with strings and this strings are the unique values to search for, while condition specifies your detection criteria.
Some example with con:
all of them /* all strings in the rule */
any of them /* any string in the rule */
all of ($a*) /* all strings whose identifier starts by $a */
any of ($a,$b,$c) /* any of $a, $b or $c */
1 of ($*) /* same that "any of them" */
You can include also the meta keyword, see:
rule RuleName
{
meta:
author = "Catalin George Festila - rule 001 "
description = "tell something to the computer"
strings:
$test_string1= "first step "
...
The metadata can be referenced using the arg –m option at the command line.
You can add comments to your YARA rules just as if it was a C source file because rules have a syntax that
resembles the C language.