YARA ("Yet Another Recursive Algorithm" / "Yet Another Ridiculous Acronym") is a powerful tool that allows you to detect patterns or specific attributes. We have provided different examples below of YARA rules. Our full knowledge base article about YARA rules can be found here.
You can skip to each example by clicking the link below:
- Example 1 - Detect messages with a demand for money
- Example 2 - Prevent specific website links or names
- Example 3 - Hexadecimal strings for file signatures
- Example 4 - Using Regular expression to detect URLs
- Example 5 - Using multiple conditions to improve matches
Example 1 - Detect messages with a demand for money
rule Example_One
{
strings:
$string1 = "pay"
$string2 = "immediately"
condition:
($string1 and $string2)
}
Example 2 - Prevent specific website links or names
rule Example_Two
{
strings:
$MaliciousWeb1 = "www.scamwebsite.com"
$MaliciousWeb2 = "www.notrealwebsite.com"
$Maliciousweb3 = "www.freemoney.com"
$AttackerName1 = "hackx1203"
$AttackerName2 = "Hackor"
$AttackerName3 = "Hax"
condition:
any of them
}
Example 3 - Hexadecimal strings for file signatures
rule Example_Three
{
strings:
$Hex_PDF = { 25 50 44 46 }
$Hex_PNG = { 89 50 4E 47 0D 0A 1A 0A }
condition:
any of them
}
Example 4 - Using Regular expression to detect URLs
rule Example_Four
{
strings:
$Regex_URL = /https?:\/\/([\w\.-]+)([\/\w \.-]*)/
$CEO = "Bob Kent" nocase
condition:
all of them
}
Example 5 - Using multiple conditions to improve matches
rule Example_Five
{
strings:
$Quarantine_Message1 = "install"
$Quarantine_Message2 = "upload"
$Prevent_Quarantine = "meeting"
condition:
($Quarantine_Message1 or $Quarantine_Message2) and not $Prevent_Quarantine
}
If you have any further questions, please contact our support team by clicking here.