YARA Rules in Cyber Threat Intelligence
YARA rules are pattern-matching rules used to identify malware. Many tools can use YARA rules to detect malware. YARA can be used on Windows, macOS, and Linux.
YARA was originally developed by Victor Alvarez of VirusTotal, who said that, “YARA is an ancronym for: YARA: Another Recursive Ancronym, or Yet Another Ridiculous Acronym. Pick your choice.”
YARA Syntax
YARA rules have these parts:
- Keyword rule followed by a rule identifier (required): name of the rule
- String definition (optional): string(s) to look for (text, binary, or regular expression)
- Condition (required): boolean expression to determine if file/process satisfies the rule
- Rule tags (optional): added after rule identifier, used to filter YARA output
- Metadata (optional): additional info about the rule
Here’s a simple example based on the YARA documentation:
rule ExampleRule : tag1 tag2
{
strings:
$my_text_string = "text here"
$my_hex_string = { E2 34 A1 C8 23 FB }
condition:
$my_text_string or $my_hex_string meta:
my_identifier_1 = "Some string data"
my_identifier_2 = 24
my_identifier_3 = true
}
Using YARA Rules in CTI
As you analyze malware, you can write YARA rules that defenders can use to detect that malware.
As you collect malware IoCs from other sources, you can write YARA rules or find YARA rules from other sources, and provide those to defenders to detect that malware.
Speaking of finding YARA rules from other sources, Awesome YARA has a list of sources.
Your threat intelligence platform (TIP) may support YARA; MISP and ThreatConnect do. If yours does, you can build YARA rules based on collected threat information.
