YARA Rule Format

To write a YARA script, use the format below:

import [modules]

// Place two forward slashes to make a comment

rule [rule name]
{
    meta: // meta is not required
        // enter post-process task that YARA should complete, like repeat a description.
        // this is good for sorting through lots of rules and information
        description = "[description]"
    strings: // strings is not required 
        // enter strings that YARA should search for here
        $str = "[string]"
    condition:
       // enter boolean expressions that YARA should search for on the system
       ($str or "abc") and ("def" or "ghi")
}

Under "condition" in YARA, different conditions can be placed beyond string matching.

Above, only the condition portion of YARA was used. Not only that, but YARA can compare every hash on the system to the specified hash to find a match.

import "hash"
import "pe"

rule test
{
    condition:
         hash.md5(0,filesize) == "[hash]"
}

YARA needs the imported module "hash" to complete this condition and run the "hash.md5" command. YARA does hold the capability to hash specific portions of the file, but, for child pornography and human trafficking cases, the main hashes wanted are the entire file.

To do this, enter (0, filesize) after hash.md5 so that YARA will hash the file from point "0" to the entire "filesize".

Remember to save the YARA rules as "[rule].yar"

The YARA hash module is able to use the following hashes:

• md5
• sha1
• sha256

There are also other useful YARA rules listed in the Code section of this repository. To view more information, check here

YARA Command Format

To run the YARA rule, enter the following command in Command Prompt or Powershell.

> [YARA Executable File Path]\yara.exe -r [YARA Rule File Path]\[YARA Rule] [Target Directory to Search]

-r: recursive search through target directory

For example:

> E:\yara-v4.0.5-1554-win64\yara64.exe -r E:\yara-v4.0.5-1554-win64\rule2.yar C:\

This command searched the entire C:\ directory recursively using rule2.yar.

To send the output to a file for later analysis, add > [file name] at the end of the command. For example:

> E:\yara-v4.0.5-1554-win64\yara64.exe -r E:\yara-v4.0.5-1554-win64\rule2.yar C:\ > output.txt

Above, the result of the YARA rule search will be put into "output.txt", which will be created if not already there in the local directory that the command is running from.

BE CAREFUL! If output.txt already exists, the content inside of output.txt will be overwritten with the new results.

To append to the existing output.txt, add >> instead of >. For example:

> E:\yara-v4.0.5-1554-win64\yara64.exe -r E:\yara-v4.0.5-1554-win64\rule2.yar C:\ >> output.txt

To view more information, check here.

YARA Errors

"error scanning [file]: could not open file" is shown because those files/programs are currently running on the system. Because they are currently running, they cannot be accessed, hashed, and/or read by YARA.