Top Related Projects
YARA signature and IOC database for my scanners and tools
Quick Overview
Yara-Rules/rules is a GitHub repository containing a collection of YARA rules for malware detection and analysis. YARA is a tool used to identify and classify malware samples based on textual or binary patterns. This repository serves as a community-driven resource for security professionals and researchers to share and collaborate on YARA rules.
Pros
- Extensive collection of YARA rules covering various malware families and threats
- Regularly updated with contributions from the cybersecurity community
- Well-organized structure with rules categorized by malware type or purpose
- Includes both specific and generic rules for diverse detection capabilities
Cons
- Some rules may be outdated or less effective against evolving malware variants
- Quality and effectiveness of rules can vary due to community contributions
- Potential for false positives if rules are not properly tested or fine-tuned
- Requires knowledge of YARA syntax and malware analysis for effective use
Getting Started
To use the YARA rules from this repository:
-
Clone the repository:
git clone https://github.com/Yara-Rules/rules.git -
Install YARA on your system (if not already installed):
- For Ubuntu/Debian:
sudo apt-get install yara - For macOS with Homebrew:
brew install yara - For Windows, download from the official YARA releases page
- For Ubuntu/Debian:
-
Run YARA with a specific rule or ruleset:
yara /path/to/rule.yar /path/to/file/or/directory -
To use multiple rules, create a .yar file that includes other rules:
include "/path/to/rules/malware/MALW_AZORULT.yar" include "/path/to/rules/malware/MALW_Emotet.yar"Then run YARA with this file:
yara combined_rules.yar /path/to/file/or/directory
Remember to regularly update the repository to get the latest rules:
cd /path/to/rules
git pull
Competitor Comparisons
YARA signature and IOC database for my scanners and tools
Pros of signature-base
- More comprehensive collection of signatures, including YARA rules, Sigma rules, and other detection methods
- Actively maintained with frequent updates and contributions from the community
- Includes additional tools and scripts for rule management and testing
Cons of signature-base
- Larger repository size, which may require more storage and longer download times
- More complex structure, potentially making it harder for beginners to navigate
- Some rules may be more specific or tailored to certain use cases
Code Comparison
signature-base YARA rule example:
rule SUSP_LNK_SmallImageSize_June23 {
meta:
description = "Detects LNK files with suspicious small icon image sizes"
author = "Florian Roth"
reference = "Internal Research"
date = "2023-06-13"
strings:
$s1 = { 4C 00 00 00 ( 01 00 00 00 | 02 00 00 00 ) 00 00 00 00 }
condition:
uint32(0) == 0x0000004c and $s1
}
rules YARA rule example:
rule MALWARE_Win_Havoc {
meta:
author = "ditekSHen"
description = "Detects Havoc C2"
strings:
$s1 = "havocflag{" ascii wide
$s2 = "\\havoc.exe" ascii wide
condition:
uint16(0) == 0x5a4d and all of them
}
Pros of red_team_tool_countermeasures
- Focuses specifically on countermeasures against red team tools
- Provides detailed detection rules for various attack techniques
- Includes YARA rules, Snort rules, and other detection methods
Cons of red_team_tool_countermeasures
- Less frequently updated compared to rules
- Narrower scope, primarily focused on specific red team tools
- Smaller community and fewer contributors
Code Comparison
rules:
rule SUSP_LNK_SmallImageSize_May23 {
meta:
description = "Detects LNK files with suspicious small icon/image sizes"
author = "Florian Roth"
date = "2023-05-15"
strings:
$h1 = { 4C 00 00 00 01 14 02 00 }
condition:
uint32be(0) == 0x4C000000 and uint32(0x24) < 0x1000 and filesize < 4KB
}
red_team_tool_countermeasures:
rule CISA_10365227_01 : trojan LIGHTDRIFT {
meta:
author = "CISA Code & Media Analysis"
date = "2021-04-15"
description = "Detects LIGHTDRIFT backdoor"
strings:
$s1 = "GetCommandLineA"
$s2 = "CreateProcessA"
condition:
uint16(0) == 0x5A4D and all of them
}
Convert 
designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual CopilotREADME
Project
This project covers the need of a group of IT Security Researchers to have a single repository where different Yara signatures are compiled, classified and kept as up to date as possible, and began as an open source community for collecting Yara rules. Our Yara ruleset is under the GNU-GPLv2 license and open to any user or organization, as long as you use it under this license.
Yara is becoming increasingly used, but knowledge about the tool and its usage is dispersed across many different places. The Yara Rules project aims to be the meeting point for Yara users by gathering together a ruleset as complete as possible thusly providing users a quick way to get Yara ready for usage.
We hope this project is useful for the Security Community and all Yara Users, and are looking forward to your feedback. Join this community by subscribing to our mailing list.
Contribute
If youâre interested in sharing your Yara rules with us and the Security Community, you can join our mailing list, send a message to our Twitter account or send a pull request here.
Twitter account: https://twitter.com/yararules
Requirements
Yara version 3.0 or higher is required for most of our rules to work. This is mainly due to the use of the "pe" module introduced in that version.
You can check your installed version with yara -v
Packages available in Ubuntu 14.04 LTS default repositories are too old. You can alternatively install from source or use the packages available in the Remnux repository.
Also, you will need Androguard Module if you want to use the rules in the 'mobile_malware' category.
We have deprecated mobile_malware rules that depend on Androguard Module because it seems an abandoned project.
Categories
Anti-debug/Anti-VM
In this section you will find Yara Rules aimed toward the detection of anti-debug and anti-virtualization techniques used by malware to evade automated analysis.
Capabilities
In this section you will find Yara rules to detect capabilities that do not fit into any of the other categories. They are useful to know for analysis but may not be malicious indicators on their own.
CVE Rules
In this section you will find Yara Rules specialised toward the identification of specific Common Vulnerabilities and Exposures (CVEs)
Crypto
In this section you will find Yara rules aimed toward the detection and existence of cryptographic algorithms.
Exploit Kits
In this section you will find Yara rules aimed toward the detection and existence of Exploit Kits.
Malicious Documents
In this section you will find Yara Rules to be used with documents to find if they have been crafted to leverage malicious code.
Malware
In this section you will find Yara rules specialised toward the identification of well-known malware.
Packers
In this section you will find Yara Rules aimed to detect well-known software packers, that can be used by malware to hide itself.
WebShells
In this section you will find Yara rules specialised toward the identification of well-known webshells.
In this section you will find Yara rules specialised toward the identification of malicious e-mails.
Malware Mobile
In this section you will find Yara rules specialised toward the identification of well-known mobile malware.
Deprecated
In this section you will find Yara rules deprecated.
Contact
Webpage: https://yara-rules.github.io/blog/
Twitter account: https://twitter.com/yararules
Top Related Projects
YARA signature and IOC database for my scanners and tools
Convert designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual Copilot