YARA

Table of Contents

1. Lecture 5

2. What is Yara

Yara is a sort of grep command, in which other features are built on top. The main difference with grep is that Yara uses a more complex language and has the feature to organize the rules in a database. Yara is not an antivirus nor a HIDS, the good point is that it is at the same time easy to use, but flexible and extremely powerful.

Yara is an Open Source tool, and has a CLI usage:

yara-1.png

2.1. Rules

A rule must have a name and a condition. The language allows to inspect specific characteristics of the file that will be analyzed; for example the file size. Each rule consists of three structures: meta, strings and condition. The Meta section consists of a set of arbitrary key-value pairs; it can be used to describe a rule, and the type of content that it matches. Every time that a rule match a sample the ocntnet of the meta section is printend on the screen. All the useful information must be encoded inside the meta section.

The string section, it defines variables that can be later matched in the condition section, data ppatterns can be defined, regular expression can be used togheter with Hexadecimal byte patterns or regular strings.

In the condition section the matching conditions are defined, there is a particular sintax to use; for example:

yara-2.png

More complex conditions can be created by mixing different conditions with logical operators and, or and not or wildcards. a More complex example could be:

yara-3.png

When defining Yara Rules we can trigger false positives or false negative, so depending on the maturity of the rule itself we can assign a level of confidence to the rule itself.

Yara is particularly useful when used tocheter with other tools capable of interpreting its output like a SIEM, that also collects a database of logs and other useful informations.

A Yara rule can be extended by imporitng modules. For example a PE interpreter can be used to check if a PE file imports functions from specific DLLs. Also Yara enable a rule coder to reference other rules on a specific rule, enabling a creation of general rules that can be further reused in more targeted rules.

Author: Andrea Ercolino

Created: 2022-12-12 lun 12:10