YARA Rules in Cyber Threat Intelligence

YARA Syntax

  • Keyword rule followed by a rule identifier (required): name of the rule
  • String definition (optional): string(s) to look for (text, binary, or regular expression)
  • Condition (required): boolean expression to determine if file/process satisfies the rule
  • Rule tags (optional): added after rule identifier, used to filter YARA output
  • Metadata (optional): additional info about the rule
rule ExampleRule : tag1 tag2
{
strings:
$my_text_string = "text here"
$my_hex_string = { E2 34 A1 C8 23 FB }

condition:
$my_text_string or $my_hex_string
meta:
my_identifier_1 = "Some string data"
my_identifier_2 = 24
my_identifier_3 = true
}

Using YARA Rules in CTI

Additional Resources

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Chad Warner

Chad Warner

Cyber threat intelligence (CTI), cybersecurity, & privacy enthusiast. Seeking a CTI job. Bookworm. Fan of Tolkien & LEGO.