YARA ("Yet Another Recursive Algorithm" / "Yet Another Ridiculous Acronym") is a powerful tool that allows you to detect patterns or specific attributes. The rules you create can target the message body, header, attachments or raw. This knowledge base article will provide you with examples and ideas on how to incorporate YARA into your organisation.
The official YARA documentation can be found here.
You can click any of the YARA examples below to be taken to that section. Each YARA rule will have their source code linked below the image.
- Example 1 - Detect messages with a demand for money
- Example 2 - Prevent specific website links or names
- Example 3 - Hexadecimal strings for file signatures
- Example 4 - Using Regular expression to detect URLs
- Example 5 - Using multiple conditions to improve matches
Example 1 - Detect messages with a demand for money
In this simple rule we have declared two strings "pay" and "immediately". As we are using the YARA keyword "and" within our condition both strings will need to be in the message for the condition to be true.
This rule can easily be improved by adding words you consider suspicious, high-level executive names, or certain requests like downloading a file helping to filter any unwanted messages.
The Link to this rule can be found here.
Example 2 - Prevent specific website links or names
You might decide to cast a wide net when attempting to catch malicious emails rather than creating extremely specific rules. This can be achieved by using the "any of them" keyword. if any specified string is found the YARA rule condition is true. You can create a list of keywords or URLs that are known to be malicious and add them into your YARA rule. If any of the strings are detected, you can pick an action to decide what happens.
As an example, a hacker has decided to target your organisation. You know their name and aliases they will send the emails from and some of the phishing domains they want you to click. To prevent this attack, you can create a YARA rule that triggers an action if any of the specified strings are found.
The Link to this rule can be found here.
Example 3 - Hexadecimal strings for file signatures
Hexadecimal can help detect obfuscated malware, by looking at the file signature. YARA rules that use hexadecimal are very flexible. You can create a string and add the hex signature for any file type into your rule, you could also add the file signature for a known malware or use wildcards (placeholders) for any unknown bytes.
In the example below we have added the Hex signatures for a PDF and a PNG file, if either is detected this rule will be triggered. You can expand this rule to match your own policies, you may decide to ban all executable files and only allow PDF files to be sent; this choice is yours.
A Link to this rule can be found here.
Example 4 - Using Regular expression to detect URLs
Regex (regular expression) can be incorporated into your YARA rules and will allow you to detect certain sequences of characters. In the example below we have created an expression that looks for the common parts that make up a URL.
Rather than block all URLs we can now create another string for our CEO's name "Bob Kent" and append the modifier "nocase". The nocase modifier will make our CEO's name case insensitive allowing us to find uncapitalised variants. Our condition will be true if we detect a URL and our CEO's name is mentioned.
A Link to this rule can be found here.
Example 5 - Using multiple conditions to improve matches
YARA rules can use multiple conditions to help you find the exact match you are looking for. This is extremely useful when using keywords like "not" as you can specify strings to prevent incorrect matches.
In the example below we have created three strings. If the string "Quarantine_Message1" or "Quarantine_Message2" is found in the body of an email the condition is true. As these words are frequently used, we can add the keyword "not" which allows our third string to determine what will happen. For example, if an email had a request to install software it would automatically be sent to quarantine, however if the email mentions an upcoming meeting that provides context it would not be sent to quarantine.
A Link to this rule can be found here.
If you have any further questions, please contact our support team by clicking here.