{"id":9308,"date":"2017-09-15T08:57:17","date_gmt":"2017-09-15T16:57:17","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/09\/15\/news-3081\/"},"modified":"2017-09-15T08:57:17","modified_gmt":"2017-09-15T16:57:17","slug":"news-3081","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/09\/15\/news-3081\/","title":{"rendered":"Explained: YARA rules"},"content":{"rendered":"

Credit to Author: Pieter Arntz| Date: Fri, 15 Sep 2017 15:00:08 +0000<\/strong><\/p>\n

YARA rules are a way of identifying malware (or other files) by creating rules that look for certain characteristics. YARA was originally developed by Victor Alvarez of Virustotal and is mainly used in malware research and detection. It was developed with the idea to describe patterns that identify particular strains or entire families of malware.<\/p>\n

Syntax<\/h3>\n

Each rule has to start with the word rule<\/em>, followed by the name or identifier. The identifier can contain any alphanumeric character and the underscore character, but the first character is not allowed to be a digit. There is a list of YARA keywords<\/a> that are not allowed to be used as an identifier because they have a predefined meaning.\"\"<\/p>\n

Condition<\/h3>\n

Rules are composed of several sections. The condition<\/em> section is the only one that is required. This section specifies when the rule result is true<\/em> for the object (file) that is under investigation. It contains a Boolean expression that determines the result. Conditions are by design Boolean expressions and can contain all the usual logical and relational operators. You can also include another rule as part of your conditions.<\/p>\n

Strings<\/h3>\n

To give the condition<\/em> section a meaning you will also need a strings<\/em> section. The strings sections is where you can define the strings that will be looked for in the file. Let\u2019s look at an easy example.<\/p>\n

rule vendor
{
strings:
$text_string1 = \u201cVendor name\u201d wide
$text_string2 = \u201cAlias name\u201d wide
condition:
$text_string1 or $wide_string2
}
<\/code><\/p>\n

The rule shown above is named vendor and looks for the strings \u201cVendor name\u201d and \u201cAlias name\u201d. If either of those strings is found, then the result of the rule is true<\/em>.<\/p>\n

There are several types of strings you can look for:<\/p>\n