YARA

A rule must have a name and a condition. The language allows to inspect specific characteristics of the file that will be analyzed; for example the file size. Each rule consists of three structures: meta, strings and condition. The Meta section consists of a set of arbitrary key-value pairs; it can be used to describe a rule, and the type of content that it matches. Every time that a rule match a sample the ocntnet of the meta section is printend on the screen. All the useful information must be encoded inside the meta section.

The string section, it defines variables that can be later matched in the condition section, data ppatterns can be defined, regular expression can be used togheter with Hexadecimal byte patterns or regular strings.

In the condition section the matching conditions are defined, there is a particular sintax to use; for example:

More complex conditions can be created by mixing different conditions with logical operators and, or and not or wildcards. a More complex example could be:

When defining Yara Rules we can trigger false positives or false negative, so depending on the maturity of the rule itself we can assign a level of confidence to the rule itself.

Yara is particularly useful when used tocheter with other tools capable of interpreting its output like a SIEM, that also collects a database of logs and other useful informations.

A Yara rule can be extended by imporitng modules. For example a PE interpreter can be used to check if a PE file imports functions from specific DLLs. Also Yara enable a rule coder to reference other rules on a specific rule, enabling a creation of general rules that can be further reused in more targeted rules.