Deep Discovery Email
Inspector
supports YARA rules that follow version 3.10.0 of the official specifications. YARA
rules are
stored in plain text files that can be created using any text editor.
For more information about writing YARA rules, visit the
following site:
A YARA rule file must fulfill certain requirements before
it can be added to Virtual Analyzer for malware detection:
-
File name must be unique
-
File content cannot be empty
The following example shows a simple YARA rule:
rule NumberOne
{
meta:
desc = "Sonala"
weight = 10
strings:
$a = {6A 40 68 00 30 00 00 6A 14 8D 91}
$b = {8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9}
$c = "UVODFRYSIHLNWPEJXQZAKCBGMT"
condition:
$a or $b or $c
}
The following table lists the different parts of the YARA rule
and how they are used:
YARA Rule Parts and Usage
|
Part
|
Usage
|
||
|
rule
|
The YARA rule name. Must be unique and cannot contain
spaces.
|
||
|
meta:
|
Indicates that the "meta" section begins. Parts in the
meta section do not affect detection.
|
||
|
desc
|
Optional part that can be used to describe the rule.
|
||
|
weight
|
Optional part that must be between 1 and 10 that determines the risk
level if rule conditions are met:
|
||
|
strings:
|
Indicates that the "strings" section begins. Strings are
the main means of detecting malware.
|
||
|
$a / $b / $c
|
Strings used to detect malware. Must begin with a $
character followed by one of more alphanumeric characters and underscores.
|
||
|
condition:
|
Indicates that the "condition" section begins. Conditions
determine how your strings are used to detect malware.
|
||
|
$a or $b or $c
|
Conditions are Boolean expressions that define the logic
of the rule. They tell the condition under which a submitted object satisfies the
rule or
not. Conditions can range from the typical Boolean operators
and,
or and not, to relational operators
>=, <=, <,
>, == and !=. Arithmetic operators
(+, -, *, \,
%) and bitwise operators (&, |,
<<, >>, ~,
^) can be used on numerical expressions. |
