whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
killchain-compendium/Miscellaneous/Threat Intelligence/Yara.md

656 B
Raw Blame History

Yara

Structure

A rule consists of * Name * Metadata * String definitions * Conditions on these strings

Example

rule eicar   {
    meta:
      author="foo"
      description="eicar test virus"
    strings:
      $a="X5O"
      $b="EICAR"
      $c="ANTIVIRUS"
      $d="TEST"
    condition:
      $a and $b and $c and $d
  }

Usage

  • Information about a rule, metadata or strings
yara -m <file.yara> <file.target>
yara -s <file.yara> <file.target>
  • Run Yara via
yara <file.yara> <file.target>
  • If the name of the rule and the target is returned, the rule matched. Otherwise it did not match.