Scribd Logo
Upload

Welcome to Scribd!

  • Yara

    Uploaded by

    mngkp
    27 views15 pages
    This document provides an overview of Yara, an open-source tool used for malware analysis and detection. It discusses that Yara allows researchers to identify and classify patterns in data through custom written rules. Rules are composed of strings and boolean expressions to trigger matches. The document demonstrates Yara's rule syntax which defines sections for metadata, strings to search for, and conditions. It provides an example of a rule for identifying adware.

    Original Description:

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document provides an overview of Yara, an open-source tool used for malware analysis and detection. It discusses that Yara allows researchers to identify and classify patterns in data through custom written rules. Rules are composed of strings and boolean expressions to trigger matches. The document demonstrates Yara's rule syntax which defines sections for metadata, strings to search for, and conditions. It provides an example of a rule for identifying adware.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    27 views15 pages

    Yara

    Uploaded by

    mngkp
    This document provides an overview of Yara, an open-source tool used for malware analysis and detection. It discusses that Yara allows researchers to identify and classify patterns in data through custom written rules. Rules are composed of strings and boolean expressions to trigger matches. The document demonstrates Yara's rule syntax which defines sections for metadata, strings to search for, and conditions. It provides an example of a rule for identifying adware.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 15

    Cybersecurity

    project :
    Yara

    Presented by :
    Zougah Maha
    Ben Chaabene Feryel
    Table of
    1 What is yara?

    contents 2 Who's using yara?

    3 How does yara function?

    4 What is a rule?

    5 Syntax of a rule

    6 The demonstration of two examples


    What is yara?

    YARA is an open-source tool used for malware analysis and


    detection. It allows malware researchers to identify and
    classify patterns in their data. But it can be used for other
    purposes, such as digital forensics.

    YARA supports both Unix and Windows based systems, and it


    can be used via command line or from python scripts with
    the yara-python extension.

    Appeared in 2007, it has been developed by Victor Alvarez


    who is software engineer at VirusTotal.
    WHO'S USING YARA?
    HOW DOES YARA
    FUNCTION?

    YARA accepts rules written in a custom language. These rules


    define the patterns that identify particular strains or entire
    families of malware, and which conditions should be met for the
    rule to be triggered.

    Patterns can be defined as plain text strings, binary strings, or


    regular expressions, and you can create quite complex
    conditions for your rules.
    WHAT IS A RULE?
    Rules are composed of a set of strings
    and a boolean expression which
    determine its logic.

    YARA rules are easy to write and


    understand, and they have a syntax
    that resembles the C language.
    SYNTAX OF A RULE
    Every YARA rule has "the keyword rule" as
    seen in the first line of this example.

    Then followed by "the name of the rule"


    (also known as rule identifier).

    The rule identifier can start with an


    alphanumeric letter or an underscore but
    cannot start with a digit.
    Rule identifiers cannot exceed 128
    characters and are case sensitive.
    SYNTAX OF A RULE
    Then comes "the metadata" of the YARA
    rule.
    Metadata provides useful information
    about the rule itself.
    In this section, you can include :
    Author
    Date
    Version
    Reference
    Description
    Hash
    SYNTAX OF A RULE
    "The strings" section is where you can
    define the strings that will be looked for in
    the file.

    There are several types of strings you can


    look for:
    Hexadecimal, in combination with
    wild-cards, jumps, and alternatives.
    Text strings, with modifiers: no case,
    full word, wide, and ASCII.
    Regular expressions, with the same
    modifiers as text strings.
    SYNTAX OF A RULE
    In the end, we finish by "the condition"
    section, which typically consists of
    boolean expressions and where the logic
    of the rule exists.

    The condition section is the only section


    that is required.

    Conditions can also include the location


    of a string in the file. This helps especially
    in identifying the file type and hence
    reducing the chances of our rules
    producing false positives.
    The demonstration of an
    example
    An example of an adware
    identification
    Do you have any
    questions?
    We thank you for your attention.

    You might also like