{"id":2766,"date":"2021-02-15T18:30:27","date_gmt":"2021-02-15T17:30:27","guid":{"rendered":"https:\/\/andreas-klingler.de\/infosec\/?p=2766"},"modified":"2023-12-24T12:34:05","modified_gmt":"2023-12-24T11:34:05","slug":"yara","status":"publish","type":"post","link":"https:\/\/infosec.andreas-klingler.de\/?p=2766","title":{"rendered":"<span class=\"caps\">YARA<\/span>"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\"><em>Yet anoth\u00ader ridi\u00adcolous acrynom<\/em> is a tool for detect infor\u00adma\u00adtion in bina\u00adry and text files. <span class=\"caps\">YARA<\/span> rules are writen in text&nbsp;files.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">By call\u00ading yara with a rule file and a file to test, it either returns noth\u00ading if no rule was detect\u00aded or one or mul\u00adti\u00adple rules which match\u00ades the pro\u00advid\u00aded&nbsp;file.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Exam\u00adple: The foll\u00adwing rule (file\u00adname <em>detect_virus.yara<\/em>) checks for the string <em>virus<\/em>:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">rule detect_virus {<br>   strings:<br>      $detection_string = \"virus\"<br>   condition:<br>      $detection_string<br>}<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">This file can be used as fol\u00adlows to check the file <em>testfile.elf<\/em>:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">yara detect_virus.yara testfile.elf<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">The fol\u00adlow\u00ading rule checks for the occur\u00adrence the strings <em>virus<\/em> and <em>mal\u00adware<\/em>:<\/p>\n\n\n\n<pre id=\"block-94dbbcb8-55f9-4058-aff9-8ff6788645aa\" class=\"wp-block-preformatted\">rule detect_virus {\n   strings:\n      $detection_string1 = \"virus\"\n      $detection_string2 = \"malware\"\n   condition:\n      any of them\n}<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">To trig\u00adger detec\u00adtion only if a string occurs mul\u00adti\u00adple times, the con\u00addi\u00adtion can not only be boolean but also com\u00adpare with <em>&lt;=<\/em>, <em>&gt;=<\/em> and <em>!=<\/em>. Fur\u00adther\u00admore, con\u00addi\u00adtions can be com\u00adbined with the key\u00adwords <em>and<\/em>, <em>or<\/em> and <em>not<\/em>. The fol\u00adlow\u00ading rule trig\u00adgers only if the file con\u00adtains the string <em>sig\u00adcode<\/em> at least 5&nbsp;times.<\/p>\n\n\n\n<pre id=\"block-2c92d563-a766-4685-b50a-6648cdc29649\" class=\"wp-block-preformatted\">rule detect_virus {\n   strings:\n      $detection_string1 = \"sigcode\"\n      $detection_string2 = \"templ\"\n   condition:\n      $detection_string1 &gt;= 5 and $detection_string2\n}<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Create rules with yarGen<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">After a mali\u00adcious file was detect\u00aded, a new <span class=\"caps\">YARA<\/span> rule should be writ\u00adten to detect the file on oth\u00ader sys\u00adtems as well. The tool <a href=\"https:\/\/github.com\/Neo23x0\/yarGen\">yarGen<\/a> can help with that by ana\u00adlyz\u00ading the file and pro\u00adpose unique strings which prob\u00ada\u00adbly not appear in goodware.<\/p>\n\n\n\n<ol class=\"wp-block-list\"><li>Update the yarGen data\u00adbase of good strings with <code>python3 yarGen.py --update<\/code><\/li><li>Analyse the file with <code>python3 yarGen.py -m malware_file --excludegood -o new_rule.yar<\/code><\/li><\/ol>\n\n\n\n<h2 class=\"wp-block-heading\">Additional ressources<\/h2>\n\n\n\n<ul class=\"wp-block-list\"><li><a href=\"https:\/\/yara.readthedocs.io\/en\/stable\/writingrules.html\">Doc\u00adu\u00admen\u00adta\u00adtion about&nbsp;rules<\/a><\/li><li><a href=\"https:\/\/medium.com\/malware-buddy\/security-infographics-9c4d3bd891ef#18dd\">Cheat\u00adsheet<\/a><\/li><\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Yet anoth\u00ader ridi\u00adcolous acrynom is a tool for detect infor\u00adma\u00adtion in bina\u00adry and text files. <span class=\"caps\">YARA<\/span> rules are writen in text&nbsp;files.&nbsp; By call\u00ading yara with a rule file and a file to test, it either returns noth\u00ading if no rule was detect\u00aded or one or mul\u00adti\u00adple rules which match\u00ades the pro\u00advid\u00aded&nbsp;file. Exam\u00adple: The foll\u00adwing&nbsp;rule&nbsp;[\u2026]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"wp_typography_post_enhancements_disabled":false,"footnotes":""},"categories":[476,477],"tags":[353],"class_list":["post-2766","post","type-post","status-publish","format-standard","hentry","category-defence-tool","category-software","tag-yara"],"_links":{"self":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/2766","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2766"}],"version-history":[{"count":4,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/2766\/revisions"}],"predecessor-version":[{"id":2773,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/2766\/revisions\/2773"}],"wp:attachment":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2766"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2766"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2766"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}