Danny's Newsletter

Share this post

Danny's Newsletter
Danny's Newsletter
Tools Deep Dive: YARA
Copy link
Facebook
Email
Notes
More

Tools Deep Dive: YARA

Danny
Sep 26, 2024
2

Share this post

Danny's Newsletter
Danny's Newsletter
Tools Deep Dive: YARA
Copy link
Facebook
Email
Notes
More
Share

Previously we talked about how there are several tools of the trade when it comes to Cybersecurity.

Many of these are free, built-in and extremely versatile.

One of these tools is YARA. In a nutshell, this tool is used to identify and classify malware samples.

We’ll go over ways in which you can utilize YARA for security use cases.

Some things about YARA

  • basically grep on steroids 😆

  • consists of defined rules which will match files

  • you give it a name, description, strings to match, and a condition

  • YARA is also often integrated with other detection tools, to detect malicious binaries

These are just some of the many aspects to know about the versatile tool that is YARA.

In practice you give it a name, description, strings to match, and a condition. Out of these, only the condition is mandatory.

Here’s a snippet of a rule for macOS XProtect.

A yara rule from Mac OS XProtect

The above rule will match against the following conditions: matches for the two hashes, a match of the filetype, and a match of the file size are met.

As mentioned earlier, YARA consists of rules written to match on specific strings. This might sound a little similar to Regex, which we discussed previously.

The difference here is that the YARA rules are specific to strings, or binaries (think malware samples). If regex is pattern matching for text, YARA is pattern matching for files.

Here’s a brief GPT table outlining the two

Regex and Yara outlined

Some use cases for YARA.

  • matching on a specific type of malware

  • scanning emails

  • building on new detection internally

Resources

Some resources to get hands on with YARA.

Here’s a lab by Cyberwox to get some hands on practice with the tool. It serves as a good intro, and you’ll be able to build this into other labs.

https://cyberwoxacademy.com/intro-to-threat-detection/

The official YARA repo by the team at VirusTotal.

https://github.com/VirusTotal/yara

Florian Roth’s open collection of rules.

https://github.com/Neo23x0/signature-base/tree/master/yara

Conclusion

I hope this helps in seeing what YARA can do, and what learning it could mean for you.

In a future post, we will dive deep into the functionality of YARA and example rules along with their use cases. If you enjoyed this post, you will like the rest of this tools series.

Thanks for reading! Subscribe for free to receive new posts and support my work.

2

Share this post

Danny's Newsletter
Danny's Newsletter
Tools Deep Dive: YARA
Copy link
Facebook
Email
Notes
More
Share

Discussion about this post

No posts

Ready for more?

© 2024 Danny
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great culture

Share

Copy link
Facebook
Email
Notes
More