Practical examples: https://github.com/InQuest/awesome-yara contains a list of .yara files used by large organisations.

YARA(Yet Another Recursive/Ridiculous Acronym) is a tool that can be used to identify files that meet certain conditions. It is mainly in use by security researchers to classify malware. YARA rules are a way of identifying malware (or other files) by creating rules/conditions that look for certain characteristics.

Rules

The basic syntax of a Yara rule is as follows:

rule rulename
  {
    **meta:**
      author = "tryhackme"
      description = "test rule"
      created = "11/12/2021 00:00"
    **strings:**
      $textstring = "text"
      $hexstring = {4D 5A}
    **conditions:**
      $textstring and $hexstring
  }

Yara rules have three sections -

  1. Strings: This section is all about the strings you want to match in a Yara rule. Here we define strings as if we will define variables. A string declaration starts with a $ sign, followed by the name we want to assign to that string.

    As the names of the strings signify, strings can be text strings or hex strings. Text strings are strings found in the legible text portion of a file, however, hex strings are raw sequences of bytes in a file. To define text strings, we use double quotes, and to define hex strings, we use curly brackets. An implementation of this can be seen in the example rule above. Text strings can also use regular expressions or regex, for more complex pattern matching.

  2. Conditions: This section defines the conditions that the rule writer wants to meet in order for the rule to hit on a file. Conditions are boolean expressions, and they use the strings defined in the strings section as variables. For complex conditions look at some practical examples.

  3. Metadata: Metadata is an optional, but important section in the rules. It starts with the keyword meta. It can be used to add additional information about the rule to help the analyst in their analysis. Generally, it contains arbitrarily defined identifiers, and their values, which are universally understood. Adding metadata to rules is especially important when contributing to the community, as they provide important contextual information and attribution for the rule.

Yara - command line interface

The syntax to run a Yara rule can be simply stated as follows:

yara [options] rule_file [target]

In AoC3 Task 26 DAy 21, our rule_file will be the file we saved as eicaryara, and the target will be our testfile. Therefore, our command for running the rule will look like this: yara [options] eicaryara testfile. Giving the options here is optional. If we run this command as it is, it will return us with the rule name and the file name if the rule is hit. If the rule is not hit, it will not return anything.

The first output is when rule file is hit(in red box) and 2nd output is when rule file doen’t hit/

The first output is when rule file is hit(in red box) and 2nd output is when rule file doen’t hit/