Creating a YARA Rule File

Deep Discovery Analyzer supports YARA rules that follow version 3.10.0 of the official specifications. YARA rules are stored in plain text files that can be created using any text editor.

For more information about writing YARA rules, visit the following site:

https://yara.readthedocs.io/en/v3.10.0/writingrules.html

A YARA rule file must fulfill certain requirements before it can be added to Virtual Analyzer for malware detection:

  • File name must be unique

  • File content cannot be empty

The following example shows a simple YARA rule:

rule NumberOne
{
meta:
desc = "Sonala"
weight = 10
strings:
$a = {6A 40 68 00 30 00 00 6A 14 8D 91}
$b = {8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9}
$c = "UVODFRYSIHLNWPEJXQZAKCBGMT"
condition:
$a or $b or $c
}

The following table lists the different parts of the YARA rule and how they are used:

Table 1. YARA Rule Parts and Usage

Part

Usage

rule

The YARA rule name. Must be unique and cannot contain spaces.

meta:

Indicates that the "meta" section begins. Parts in the meta section do not affect detection.

desc

Optional part that can be used to describe the rule.

weight

Optional part that must be between 1 and 10 that determines the risk level if rule conditions are met:

  • 1 to 9 = Low risk

  • 10 = High risk

Note:

The weight value does not correspond to the risk level assigned by Deep Discovery Analyzer.

strings:

Indicates that the "strings" section begins. Strings are the main means of detecting malware.

$a / $b / $c

Strings used to detect malware. Must begin with a $ character followed by one of more alphanumeric characters and underscores.

condition:

Indicates that the "condition" section begins. Conditions determine how your strings are used to detect malware.

$a or $b or $c

Conditions are Boolean expressions that define the logic of the rule. They tell the condition under which a submitted object satisfies the rule or not. Conditions can range from the typical Boolean operators and, or and not, to relational operators >=, <=, <, >, == and !=. Arithmetic operators (+, -, *, \, %) and bitwise operators (&, |, <<, >>, ~, ^) can be used on numerical expressions.