cd $HOME

YARA - Snort For Files

3 minutes read

Yara is a great product not only for security researchers.
Using this tool you can identify and classify files(PE files, text files, etc.) based on patterns.
The tool is easy to use. We can create a.k.a rules(name.yar) which consist set of rules.

rule first_or_second
{
        strings:
               $a = "first_string"  // comment
               $b = "second_string" nocase // Yara is case-sensitive by default
        condition:
               $a or $b
}

Execute:

yara xxx.yar xxx.file

Everything in this example is very intuitive. If the file contains strings $a or $b, Yara can detect this.

Also, we use hexadecimal strings or use regular expressions:

rule reg_hex
{
            strings:
                 $rg = /state: (on|off)/
                 $hx = { E8 00 ?? A1 }
            condition:
                 $rg and $hx
                 filesize > 500KB
}

Yes, there are some helpful keywords too.

We can create more interesting rules, for example, we can detect files which contain macro codes.
Source: https://github.com/Yara-Rules/rules/

rule Contains_VBA_macro_code
{
    meta:
        author = "evild3ad"
        description = "Detect a MS Office document with embedded VBA macro code"
        date = "2016-01-09"
        filetype = "Office documents"

    strings:
        $officemagic = { D0 CF 11 E0 A1 B1 1A E1 }
        $zipmagic = "PK"

        $97str1 = "_VBA_PROJECT_CUR" wide
        $97str2 = "VBAProject"
        $97str3 = { 41 74 74 72 69 62 75 74 00 65 20 56 42 5F } // Attribute VB_

        $xmlstr1 = "vbaProject.bin"
        $xmlstr2 = "vbaData.xml"

    condition:
        ($officemagic at 0 and any of ($97str*)) or ($zipmagic at 0 and any of ($xmlstr*))
}

Also, you can convert ClamAV rules. For more detailed and updated information you should see this doc: https://yara.readthedocs.io