Convert Figma logo to code with AI

VirusTotal logoyara

The pattern matching swiss knife

8,110
1,424
8,110
174
View on GitHub

Top Related Projects

Yara-Rules's avatar

rules

4,114

Repository of yara rules

Neo23x0's avatar

signature-base

2,433

YARA signature and IOC database for my scanners and tools

OISF's avatar

suricata

4,438

Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine developed by the OISF and the Suricata community.

mandiant's avatar

red_team_tool_countermeasures

2,642

Quick Overview

YARA is a tool aimed at helping malware researchers identify and classify malware samples. It allows users to create descriptions of malware families based on textual or binary patterns. These descriptions, called YARA rules, can be used to scan files, processes, or memory dumps to find matching patterns.

Pros

  • Highly flexible and powerful pattern matching capabilities
  • Supports a wide range of data types and operators
  • Integrates well with other security tools and platforms
  • Active community and regular updates

Cons

  • Steep learning curve for creating complex rules
  • Performance can be impacted when using many complex rules
  • Limited built-in support for analyzing encrypted or packed malware
  • Requires manual creation and maintenance of rules

Code Examples

  1. Basic YARA rule structure:
rule ExampleRule
{
    meta:
        description = "This is a basic YARA rule"
        author = "Your Name"
        date = "2023-04-20"
    
    strings:
        $string1 = "suspicious_string"
        $hex_string = { 4D 5A 90 00 03 00 00 00 }
    
    condition:
        $string1 or $hex_string
}
  1. Using logical operators in conditions:
rule LogicalOperators
{
    strings:
        $a = "function_name1"
        $b = "function_name2"
        $c = "function_name3"
    
    condition:
        2 of ($a, $b, $c) and filesize < 1MB
}
  1. Using regular expressions:
rule RegexExample
{
    strings:
        $email = /[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}/
    
    condition:
        $email
}

Getting Started

  1. Install YARA:

    git clone https://github.com/VirusTotal/yara.git
cd yara
./bootstrap.sh
./configure
make
sudo make install

  2. Create a YARA rule file (e.g., myrule.yar) with your rules.

  3. Run YARA on a file or directory:

    yara myrule.yar /path/to/file_or_directory

  4. For more advanced usage, refer to the official documentation.

Competitor Comparisons

Yara-Rules logo

rules

4,114

Repository of yara rules

Pros of rules

  • Extensive collection of pre-written YARA rules for various malware families and threats
  • Community-driven project with frequent updates and contributions
  • Ready-to-use rules for immediate implementation in security systems

Cons of rules

  • May include outdated or less accurate rules if not regularly maintained
  • Potential for false positives due to the broad nature of some rules
  • Requires careful review and testing before deployment in production environments

Code comparison

rules:

rule Cryptolocker {
    meta:
        description = "Detect Cryptolocker ransomware"
    strings:
        $a = "CryptoLocker"
    condition:
        $a
}

yara:

int yr_compiler_add_string(
    YR_COMPILER* compiler,
    const char* identifier,
    const char* string,
    int flags)
{
    // Implementation details
}

The rules repository focuses on providing YARA rule definitions, while the yara repository contains the core YARA engine implementation. The code snippets illustrate this difference, with rules showing a sample YARA rule and yara displaying a C function from the compiler.

Neo23x0 logo

signature-base

2,433

YARA signature and IOC database for my scanners and tools

Pros of signature-base

  • Extensive collection of pre-made YARA rules for various threats
  • Regularly updated with new signatures for emerging malware
  • Includes additional tools and scripts for threat detection

Cons of signature-base

  • Focused on signatures rather than the YARA engine itself
  • May require more frequent updates to stay current with threats
  • Potentially higher false positive rate due to broader rule coverage

Code Comparison

YARA (rule definition):

rule ExampleRule {
    strings:
        $a = "suspicious_string"
    condition:
        $a
}

signature-base (rule example):

rule APT_MAL_GENERIC {
    meta:
        description = "Detects generic APT malware"
    strings:
        $s1 = "cmd.exe /c " nocase
        $s2 = "powershell.exe -nop -w hidden -c " nocase
    condition:
        any of them
}

YARA is a tool for creating and using rules to identify and classify malware samples, while signature-base is a collection of pre-made YARA rules and other detection mechanisms. YARA provides the foundation for creating custom rules, whereas signature-base offers a ready-to-use set of rules for various threats. Users looking to develop their own rules may prefer YARA, while those seeking immediate threat detection capabilities might find signature-base more suitable.

OISF logo

suricata

4,438

Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine developed by the OISF and the Suricata community.

Pros of Suricata

  • Real-time network traffic analysis and intrusion detection
  • Supports multi-threading for high-performance processing
  • Extensive protocol support and application layer inspection

Cons of Suricata

  • Higher resource consumption due to complex analysis
  • Steeper learning curve for rule writing and configuration
  • Limited to network-based detection, unlike YARA's file-based approach

Code Comparison

Suricata rule example:

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"Suspicious HTTP Request"; 
content:"GET"; http_method; content:"/malicious.php"; http_uri; 
sid:1000001; rev:1;)

YARA rule example:

rule SuspiciousFile {
    strings:
        $suspicious = "malicious_function"
    condition:
        $suspicious
}

Both tools use rule-based detection, but Suricata focuses on network traffic while YARA targets file content. Suricata rules are more network-oriented, specifying protocols and IP ranges. YARA rules are simpler and concentrate on file characteristics and content matching.

mandiant logo

red_team_tool_countermeasures

2,642

Pros of red_team_tool_countermeasures

  • Focuses specifically on countermeasures against known red team tools
  • Provides detailed detection rules and mitigation strategies
  • Regularly updated with new threat intelligence

Cons of red_team_tool_countermeasures

  • Limited scope compared to YARA's versatility
  • Requires more manual implementation and customization
  • May not be as effective against novel or custom malware

Code Comparison

YARA rule example:

rule suspicious_behavior {
    strings:
        $a = "CreateRemoteThread"
        $b = "VirtualAllocEx"
    condition:
        $a and $b
}

red_team_tool_countermeasures detection rule example:

<Sysmon schemaversion="4.30">
  <EventFiltering>
    <RuleGroup name="Suspicious Process Creation">
      <ProcessCreate onmatch="include">
        <CommandLine condition="contains">powershell.exe -nop -w hidden</CommandLine>
      </ProcessCreate>
    </RuleGroup>
  </EventFiltering>
</Sysmon>

Both repositories offer valuable tools for threat detection and analysis. YARA provides a flexible pattern matching language for malware identification, while red_team_tool_countermeasures focuses on specific countermeasures against known red team tools. YARA is more versatile and can be applied to various file types, while red_team_tool_countermeasures offers more targeted detection rules for specific attack techniques.

Convert Figma logo designs to code with AI

Visual Copilot

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

Join the chat at https://gitter.im/VirusTotal/yara AppVeyor build status Coverity status

YARA in a nutshell

YARA is a tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples. With YARA you can create descriptions of malware families (or whatever you want to describe) based on textual or binary patterns. Each description, a.k.a. rule, consists of a set of strings and a boolean expression which determine its logic. Let's see an example:

rule silent_banker : banker
{
    meta:
        description = "This is just an example"
        threat_level = 3
        in_the_wild = true

    strings:
        $a = {6A 40 68 00 30 00 00 6A 14 8D 91}
        $b = {8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9}
        $c = "UVODFRYSIHLNWPEJXQZAKCBGMT"

    condition:
        $a or $b or $c
}

The above rule is telling YARA that any file containing one of the three strings must be reported as silent_banker. This is just a simple example, more complex and powerful rules can be created by using wild-cards, case-insensitive strings, regular expressions, special operators and many other features that you'll find explained in YARA's documentation.

YARA is multi-platform, running on Windows, Linux and Mac OS X, and can be used through its command-line interface or from your own Python scripts with the yara-python extension.

Additional resources

Do you use GitHub for storing your YARA rules? YARA-CI may be a useful addition to your toolbelt. This is GitHub application that provides continuous testing for your rules, helping you to identify common mistakes and false positives.

If you plan to use YARA to scan compressed files (.zip, .tar, etc) you should take a look at yextend, a very helpful extension to YARA developed and open-sourced by Bayshore Networks.

Additionally, the guys from InQuest have curated an awesome list of YARA-related stuff.

Who's using YARA

Are you using it? Want to see your site listed here?