killchain-compendium/misc/threat_intelligence/yara.md

# Yara

## Structure
A rule consists of 
    * Name
    * Metadata
    * String definitions
    * Conditions on these strings

## Example

```sh
rule eicar   {
    meta:
      author="foo"
      description="eicar test virus"
    strings:
      $a="X5O"
      $b="EICAR"
      $c="ANTIVIRUS"
      $d="TEST"
    condition:
      $a and $b and $c and $d
  }
```

## Usage

* Information about a rule, metadata or strings
```sh
yara -m <file.yara> <file.target>
yara -s <file.yara> <file.target>
```

* Run Yara via
```sh
yara <file.yara> <file.target>
```
* If the name of the rule and the target is returned, the rule matched. Otherwise it did not match.
firmware 2021-09-18 01:40:51 +02:00			`# Yara`
reorganized 2022-08-08 22:43:23 +02:00
			`## Structure`
			`A rule consists of`
			`* Name`
			`* Metadata`
			`* String definitions`
			`* Conditions on these strings`

			`## Example`

			```sh
			`rule eicar {`
			`meta:`
			`author="foo"`
			`description="eicar test virus"`
			`strings:`
			`$a="X5O"`
			`$b="EICAR"`
			`$c="ANTIVIRUS"`
			`$d="TEST"`
			`condition:`
			`$a and $b and $c and $d`
			`}`
			```

			`## Usage`

			`* Information about a rule, metadata or strings`
			```sh
			`yara -m <file.yara> <file.target>`
			`yara -s <file.yara> <file.target>`
			```

			`* Run Yara via`
			```sh
			`yara <file.yara> <file.target>`
			```
			`* If the name of the rule and the target is returned, the rule matched. Otherwise it did not match.`