Write Your First YARA Rule

If you want that your company or yourself take action against the apt groups, i have an idea for you. You can avoid being the focus of these attacks by writing YARA rules.

YARA is a free and open-source tool aimed at helping security staff detect and classify malware. Also it can provide customization skill for your security ecosystem.

YARA rules always contain three parts:

rule: Rule name

The meta part: This part include general information about yara rule.
The strings part: This part contains all the strings that need to be searched for in files.
The condition part: This part defines the condition for matching. It can be just matching one or several strings, but it can also be more complex.

Thanks for Thomas Roccia

Can use binary, hash, command .. at the string part. Do not forget, basically Yara works like antivirus programs but it can not take their place. Mostly used for customization and quick response. Let’s write our first Yara rule.

(1) Rule name

(2) Meta data for description about rule. Another fields can be add like : reference, date, hash, score, etc..

(3) This string part means match any file containing the 01 23 45 67 89 AB CD EF byte sequence.

(4) Match any file containing

The above rule is telling YARA that any file containing one of the three strings must be reported as HexEx.

This is just a simple example, more complex and powerful rules can be created by using wild-cards, case-insensitive strings, regular expressions, special operators and many other features that you’ll find explained in YARA’s documentation.

Thank you for reading. We will see another Yara rule examples at my another articles.