Yara: A Deep Dive
Yara Vs Regex
Previously we talked about how there are several tools of the trade when it comes to Cybersecurity.
Many of these are free, built-in and extremely versatile. One of these Swiss army knives is YARA. In an nutshell, this tool is used to identify and classify malware samples.
We’ll go over several ways in which you can utilize YARA for security use cases.
Some things to note about YARA
basically grep on steroids 😆
consists of defined rules which will match files
you give it a name, description, strings to match, and a condition
YARA is also often integrated with commercial detection tools, or used internally to detect malicious binaries
These are just some of the many aspects to know about the versatile tool that is YARA. In practice you give it a name, description, strings to match, and a condition. Out of these, only the condition is mandatory.
Here’s a snippet of a rule
The above rule will match against the two hashes and if the condition of the filetype and file size are met.
As mentioned earlier, YARA consists of rules written to match on specific strings. This might sound a little similar to Regex, which we discussed previously. The difference here is that the rules are specific to strings, or binaries (think malware samples). If regex is pattern matching for text, YARA is pattern matching for files.
Here’s a brief table outlining the two
Some use cases for YARA.
matching on a specific type of malware
scanning emails
building on new detection internally
Conclusion
I hoped this helps in seeing what YARA can do, and what learning it could mean for you.
In a future post, we will dive deep into the functionality of Yara and example rules. If you enjoyed this post, you will like the rest of this tools series.