- Official website: https://code.google.com/p/yara-project/
- Download: https://code.google.com/p/yara-project/downloads/list
- Document: http://yara-project.googlecode.com/files/YARA User's Manual 1.6.pdf
- Reference: http://blog.zeltser.com/post/4339793582/custom-signatures-for-malware-scan
YARA is a tool aimed at helping malware researchers to identify and classify malware samples. With YARA you can create descriptions of malware families based on textual or binary patterns contained on samples of those families. Each description consists of a set of strings and a Boolean expression which determines its logic.
- Reference: http://ant4g0nist.blogspot.tw/2013/02/yara-on-backtrack-5-r3.html
- Reference: http://pinowudi.blogspot.tw/2010/09/installing-yara-on-ubuntu-1004.html
- [Comment] Install YARA on Backtrack 5 R3
- [Comment] Download the tarball and extract it first
- root@sp:~# cd /tmp
- root@sp:/tmp# wget https://yara-project.googlecode.com/files/yara-1.6.tar.gz
- root@sp:/tmp# tar -zxvf yara-1.6.tar.gz
- [Comment] Install PCRE
- root@sp:/tmp# apt-get install libpcre3 libpcre3-dev
- [Comment] Install YARA
- root@sp:/tmp# cd yara-1.6
- root@sp:/tmp/yara-1.6# ./configure
- root@sp:/tmp/yara-1.6# make
- root@sp:/tmp/yara-1.6# make install
- [Comment] Download yara-python for python support
- root@sp:/tmp/yara-1.6# cd ..
- root@sp:/tmp# wget https://yara-project.googlecode.com/files/yara-python-1.6.tar.gz
- [Comment] Extract the tarball
- root@sp:/tmp# tar -zxvf yara-python-1.6.tar.gz
- [Comment] Install python-dev to build the yara-python package
- [Comment] yara-python 1.6 had been ported to Python 3.x
- root@sp:/tmp# apt-get install python3-dev
- [Comment] Install YARA-Python
- root@sp:/tmp# cd yara-python-1.6
- root@sp:/tmp/yara-python-1.6# python3 setup.py install
- root@sp:/tmp/yara-python-1.6# cd ~
- root@sp:~# yara
- usage: yara [OPTION]... [RULEFILE]... FILE | PID
YARA is multi-platform, running on Windows, Linux and Mac OS X, and can be used through its command-line interface or from your own Python scripts with the yara-python extension.
- Reference: http://blog.sei.cmu.edu/post.cfm/writing-effective-yara-signatures-to-identify-malware
- Reference: http://www.nsai.it/2012/11/13/yara-write-your-signatures-for-malware-detection/
- Reference: https://groups.google.com/d/forum/yaraexchange
- Reference: http://labs.alienvault.com/labs/index.php/tag/yara/
- Reference: http://resources.infosecinstitute.com/malware-analysis-clamav-yara/
- Reference: http://resources.infosecinstitute.com/yara/
- Reference: http://www.amazon.com/Malware-Analysts-Cookbook-DVD-Techniques/dp/0470613033
Resources collection (Original Link - DeepEnd Research):
- Notable Yara related publications by date:
YaraGenerator is an open-source toolset which allows for quick, effective, and automatic YARA signature creation from a number of malicious filetypesi (Executables, Office, PDF, Java, HTML, and more)
MASTIFF with Yara Plugin by Klayton Monroe and Tyler Hudak. MASTIFF is a static analysis framework that automates the process of extracting key characteristics from a number of different file formats.
Using Cuckoobox, Yara, Volatility and Hopper Disassembler to analyze APT1 malware by Chort Z. Row
Installing Latest Yara That Works With Automake-1.11 (Yara v1.7) by Chort
Yara – Rule-based malware detection and analysis by Dejan Lukan
Yaraprocessor by Stephen DiCato -MITRE Yaraprocessor allows you to scan data streams in few unique ways. It supports scanning data streams in discrete chunks, or buffers.
ChopShop ChopShop is a MITRE developed framework to aid analysts in the creation and execution of pynids based decoders and detectors of APT tradecraft.
Working with Yara. Security Flux
Yara Rules for APT1/Comment Crew malware arsenal
Yara-goodies by Hiddenillusion
Yara Editor by Ivan Fontarensky
Malware.lu Yara signatures for some malware samples
Moloch by AOL team Moloch is a IPv4 packet capturing (PCAP), indexing and database system. A simple web interface is provided for PCAP browsing, searching, and exporting. Moloch is not meant to replace IDS engines but instead work along side them to store and index all the network traffic in standard PCAP format, providing fast access. Moloch is built to be deployed across many systems and can scale to handle multiple gigabits/sec of traffic
Peid signatures converted to Yara signatures by AlienVault
Fighting Back Malware with IOC & Yara OSSIR Paris, 2012.12.11Saâd Kadhi
G-Yara - a Web based (PHP) yara rule editor. It's a handy way to test yara rules as you write them.
Writing Effective YARA Signatures to Identify Malware by David French
Yara-normalize by Chris Lee. Normalizes Yara Signatures into a repeatable hash even when non-transforming changes are made.
Peid4yara is the conversion of the PEiD signatures to work with the active Yara Malware Classifer
Yarad and Ppyarad - Yarad deploys a server that can be used to scan files and streams centrally with yara and your own ruleset. Pyarad allows you to interact with yarad server from your python scripts. AlienvaultLabs
MIDAS Metadata Inspection Database Alerting System (This is a project to create a system to automate the inspection and databasing of all Meta data information contained within all files destined for an organization (generally via dumping the files which are attached to emails through the use of YARA, but could also be automated via netwitness, other full pcap tool, or just to iterate through file servers looking for suspicious files). Alternatively, this can be used to look for heuristic anomalies in existing collections of files both malicious and benign.
Create YARA Signature Demonstration video of the CreateYaraSignature.py
Yara Signature Creation with IDA by Case Barnes from AccuvantLabs
Yarascan plugin for Volatility Framework
Extracting Binary patterns in malware sets (useful tool but has limitations on the number of files it will process and does not take into account the role of matching bytes that files share.
Creating a Yara Signature for Shellcode
Converting ClamAV signatures for Yara Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code Recipe 3-3
Ruby bindings for the yara malware analysis library by Eric Monti
Yara C-ICAP Server Module by Fyodor Grave
An Intro to Creating Anti-Virus Signatures by Alexander Hanel
Tools to scan the file system with custom malware signatures by Lenny Zeltser
UltraEdit and TextMate code highlighting bundles for Yara
Scout Sniper (scoutsniper) is a wrapper program for the Yara malware identification and classification tool and the Fuzzy Hashing program ssdeep. scoutsniper is designed to run all of the files in a designated directory against a designated Yara Rule file or ssdeep’s Fuzzy dynamic linked library (fuzzy.dll).
Got your YARA?? Windows Incident Response blog