Open in app

Sign in

Write

Sign in

YARA setup : installation and configuration of YARA in linux machine

Nikhil Chaudhari
7 min readNov 7, 2024

--

Welcome back Guys in the series of “Security analysis 101” where we discuss security stuff and find pattern to solve problems. Today we are going to cover YARA one of most useful rule book tool for EDR and other things to detect malwares and other threats. Lets start with introduction.

Introduction

Here i will cover installation and configuration of YARA in linux machine. also see how we can create rules for malware or threat detection with realworld examples.

YARA installation

  1. Clone the YARA repository from virustotal github page.
Git clone https://github.com/VirusTotal/yara.git

Latest releases of Yara can be found at : https://github.com/virustotal/yara/releases

2. Now Install the Dependencies using below command.

sudo apt-get install automake libtool make gcc pkg-config flex bison

3. Run below commands to setup Yara.

wget https://github.com/VirusTotal/yara/archive/refs/tags/v4.3.2.tar.gz
tar -zxf v4.3.2.tar.gz
cd yara-4.3.2
./bootstrap.sh
./configure --with-crypto --enable-profiling --enable-macho --enable-dex --enable-cuckoo --enable-magic --enable-dotnet
make
sudo make install
sudo apt-get remove -y libyara9 python3-yara #Removes any existing installation from distro repos

4. Verify YARA installation : After installation, you can verify that YARA is working correctly by running below command.

yara --version

Yara Syntax

YARA rules are written in files with the .yar extension. Each YARA rule is composed of several sections, enabling a structured and organized approach to defining detection patterns.

Import Module :

  • To enhance the functionality of YARA rules, you can import other external YARA modules. These modules provide additional features and capabilities for your rules. For example, importing the “pe” module allows you to analyze Windows PE files more effectively:
import pe

Rule name :

  • A YARA rule must have a user-defined name that helps organize the rules within a ruleset. Giving meaningful names to rules is essential for easy identification and management. For instance:
rule my_first_rule

Meta Data :

  • Adding meta data to your YARA rule can be incredibly valuable, especially when sharing your rules with the community or your colleagues. Meta data provides additional information about the rule’s purpose, author, and description. It aids in better understanding the rule’s intent and usage. Here’s how you can include meta data in your rule:
meta:
  author = "Nikhil"
  description = "My First yara rule"
  date = "2024-11-07"

Strings :

Strings are the heart of a YARA rule and define the patterns you want to search for in a file. YARA supports various types of strings, including plain text strings, hexadecimal strings, and regular expressions.

  • Plain Text Strings: These strings are enclosed in double quotes and can be used to search for specific text patterns in files:
  • Hexadecimal Strings: Hex strings allow you to search for binary patterns in files. You can use wildcards (represented by “?”) to match variable bytes.
  • Regaular expression: YARA supports regular expressions to create more flexible and complex pattern-matching rules. . For instance, you can use a regular expression to search for MD5 hashes.
strings:
  $text_string = "text here"
  $hex_string = { E2 34 ?? C8 A? FB }   
  $re1 = /md5: [0-9a-fA-F]{32}/

Condition :

The condition part of a YARA rule is crucial, as it determines when the rule will be triggered based on the presence or absence of specific strings or characteristics in the target file. Understanding various ways to craft conditions enhances your ability to create effective and precise YARA rules. Below are the some of the ways the conditions can be written.

  1. Boolean Logic: Boolean logic allows you to combine multiple conditions using operators like AND (and), OR (or), and NOT (not). For example:
condition: 
  $hex_string and $text_string

The rule will match if both the $hex_string and $text_string are found in the file.

2. Using Quantifiers : Quantifiers enable you to specify how many times a string or condition should be repeated in the file. YARA supports quantifiers like at least, at most, and any of them. For example:

condition: 
  $string1 at least 2 and $string2 at most 4

The rule will match if string1 is found at least twice and string2 is found at most four times in the file.

3. File size Condition : YARA allows you to incorporate file attributes into conditions. You can use the special attribute $filesize to create conditions based on the size of the file. For example:

condition: 
  $filesize < 5MB
  • Combining Multiple Conditions: Leveraging the power of boolean logic, quantifiers, and file attributes, you can create comprehensive conditions tailored to your specific use case. For example:
condition: 
    $filesize < 2MB and ($string1 or $string2) and not $string3

This rule will match if the file size is less than 2 MB , either string1 or string2 is found, but string3 is not found in the file.

YARA Scanning

To execute YARA rules and perform scanning, you can use the yara command-line tool. The basic command syntax is as follows:

yara [options] <rule_file> <target>

Example YARA rule

Rule to Detect Common Windows File Paths

// Rule to detect common Windows file paths
import "pe"

rule detect_common_windows_file_paths {
    meta:
        author = "Karan"
        last_updated = "2023-07-27"
        confidence = "medium"
        description = "Detects common Windows file paths in PE files"

    strings:
        $windows_paths = /C:\\(Windows|Program Files|System32|Users\\Public)\\/i

    condition:
        pe.number_of_sections >= 2 and any of them
}

In this YARA rule, we use the pe module to analyze Portable Executable (PE) files and detect common Windows file paths. The rule looks for strings that match typical Windows file paths, such as C:\Windows, C:\Program Files, C:\System32, and C:\Users\Public, regardless of the case. If any of these paths are found within the PE file, the rule will trigger. The condition also ensures that the PE file has at least two sections to increase the accuracy of the detection.

Expanding the Capabilities of YARA Rules

When crafting YARA rules, incorporating wildcards and jumps can significantly expand the rule’s detection capabilities, making it more flexible and versatile. These powerful features allow you to create rules that match a broader range of patterns, thus enhancing your threat hunting and malware detection capabilities.

WILD-CARDS :

In YARA, wild cards allow you to specify flexible matching patterns for bytes or nibbles in a hexadecimal string. We can use the question mark (?) as a wild card, and the tilde (~) as the not operator

Example 1:

$hex_string1 = { F4 23 ~00 62 B4 }
        $hex_string2 = { F4 23 ~?0 62 B4 }

In the example above, in $hex_string1 we have a byte prefixed with a tilde (~), which is the not operator. This defines that the byte in that location can take any value except the value specified. In this case the first string will only match if the byte is not 00. The not operator can also be used with nibble-wise wild-cards, so the second string $hex_string2 will only match if the second nibble is not zero.

Example 2:

$hex_string3 = { F4 23 ( 62 B4 | 56 | 45 ?? 67 ) 45 }

YARA rule employs wild cards for flexible matching. It matches files if the string contains the specified fixed bytes F4 23 at the beginning, followed by either 62 B4 or 56 or any two nibbles between 45 and 67, and finally, ends with 45. Any other combination of bytes at these positions will not result in a match.

JUMP :

Jumps, represented by [min-max], enable matching variable-length sequences between defined patterns. For example:

$hex_string = { F4 23 [4-6] 62 B4 }

This rule will match if any sequence of 4 to 6 bytes occurs between F423 and 62B4. Jumps offer flexibility, allowing different patterns within the specified range. Any of the following strings will match the pattern:

F4 23 01 02 03 04 62 B4
F4 23 00 00 00 00 00 62 B4
F4 23 15 82 A3 04 45 22 62 B4

YARA Rule Generators and Tools for Effective Threat Hunting

In addition to crafting YARA rules manually, there are several tools available that can streamline the process and enhance the efficiency of threat hunting and malware detection. Here are a few notable ones:

  1. YARGEN: A powerful YARA rule generator that automates rule creation by analyzing known malware patterns, enabling quick responses to emerging threats and saving time for security analysts.
  2. LOKI: An open-source scanner equipped with pre-built YARA rules, capable of detecting indicators of compromise (IOCs) on systems, helping security professionals swiftly identify potential threats and respond to security incidents.
  3. THOR: A comprehensive cybersecurity tool featuring YARA-based scanning that thoroughly checks files, memory, and network traffic, utilizing YARA’s pattern-matching capabilities to uncover hidden malware and enhance proactive threat hunting.
  4. Valhalla: An advanced YARA rule management platform that centralizes rule storage, versioning, and sharing, streamlining collaboration between security analysts and ensuring efficient rule deployment across an organization’s security infrastructure.

Conclusion

Today we have learnt , how to download install and configure the yara rule set. Also we have taken overview of yara structure and went into deep with examples in real-world-scenarios.

I hope you like the content i wrote. if you like give me clap and follow for such content.

Cybersecurity
Yara
Threat Detection
Malware Analysis

--

--

Nikhil Chaudhari
Nikhil Chaudhari

Written by Nikhil Chaudhari

1 Follower
6 Following

I am (🦊) Cloud Security Researcher | | SOC Analyst | Passionate about learning & writing new technologies, tools & automations.

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams