YARA
Last updated
Last updated
Description: identifying specific files by looking at the characteristics of a large number of files to see if any of them match the profile
Installation
On Linux: download tar file from
Install dependencies: sudo apt-get install automake libtool make gcc pkg-config
Install YARA: tar -zxf yara-4.0.2.tar.gz -> cd yara-4.0.2/ -> ./bootstrap.sh
Compile YARA: ./configure -> make -> sudo make install
Confirm Installation: sudo make install
Usage
Write YARA Rules:
Run rule file against a target: yara [OPTIONS] RULES_FILE TARGET
YARA Flags
-m: Prints the associated meta information to the terminal after a YARA scan.
-s: Prints the matching strings to the terminal after a YARA scan.
-r: Recursively scan all subfolders within the target location to ensure everything is scanned.
YarGen to automatically generate rules for files:
Installation
YarGen: tar -zxf yarGen-0.18.0.tar.gz
sudo apt-get install python-pip
sudo pip install pefile cd
sudo pip install scandir lxml naiveBayesClassifier
python yarGen.py --update
python yarGen.py --help
Usage
python yarGen.py -m /root/Desktop/Malware -o ./TestRule.yara
python yarGen.py: Runs the yarGen python script
-m /root/Desktop/Malware: Create rules for files inside the Malware folder
-o ./TestRule.yara: Output the generated rule to the current folder
cat TestRule.yara: read rules
Resources: