Configuring Yara Rules - carbonblack/cbc-binary-toolkit GitHub Wiki

To use custom YARA rules, modify the example rules file or create your own.

Modifying the Example Rules File

The file is located at src/cbc_binary_toolkit_examples/engine/yara_local/example_rule.yara.

Rules should be listed consecutively, and need to have a meta section with a sev property between 1 and 10.

rule MyFirstRule
{
	meta:
		sev = 7
	strings:
		$string1 = "malware"
		$string2 = "bad_app"
		$string3 = "malicious"
	condition:
		any of them
}

rule MySecondRule
{
	meta:
		sev = 3
	strings:
		$string1 = "rm -rf /"
		$string2 = "malicious"
		$string3 = { 48 45 4C 4C 4F 0A  }
	condition:
		all of them
}	

See Writing YARA Rules for more information.

Making your own file

You can use your own file instead of the example file.

If your file is located in the same directory as yara_engine.py, append __file__ to the name of your file in the engine section of your configuration file.

engine:
  name: Yara
  feed_id: Seql2oSTkO8rZrTbBkxnQ
  type: local
  _provider: cbc_binary_toolkit_examples.engine.yara_local.yara_engine.YaraFactory
  rules_file: __file__/my_new_rule_file.yara

Otherwise, if your rules file is not located in the same directory as yara_engine.py, put the full path name to the file in your configuration file.

engine:
  name: Yara
  feed_id: Seql2oSTkO8rZrTbBkxnQ
  type: local
  _provider: cbc_binary_toolkit_examples.engine.yara_local.yara_engine.YaraFactory
  rules_file: /Users/Developer/rules_file.yara