Writing YARA Rules

YARA rules describe patterns in files or memory. Security teams use YARA to detect malware, classify samples, and hunt for threats. Understanding YARA fundamentals enables custom detection capabilities.

Rule Structure

YARA rules have three sections:

rule RuleName {
meta:
author = "Analyst"
description = "Detects specific malware"
date = "2024-01-15"
strings:
$string1 = "malicious_export"
$string2 = { 4D 5A 90 00 03 00 }
$string3 = /http:\/\/[a-z]+\.evil\.com/
condition:
all of them
}

meta provides rule documentation—author, description, references.
strings defines patterns to match.
condition specifies matching logic.

String Types

Text strings match literal content:
$a = "password"
$b = "username" nocase
$c = "secret" wide

Modifiers: nocase (case-insensitive), wide (UTF-16), ascii, fullword

Hex strings match byte sequences:
$hex = { 4D 5A 90 00 }
$pattern = { 4D 5A [2-4] 00 03 }

Wildcards: ?? (any byte), [n] (n bytes), [n-m] (n to m bytes)

Regular expressions provide flexible matching:
$regex = /https?:\/\/[a-z0-9]+\..+/

Conditions

Conditions combine string matches:
any of them
all of them
2 of ($a, $b, $c)
$a and ($b or $c)

File properties add context:
filesize < 100KB
uint16(0) == 0x5A4D // MZ header
pe.timestamp > 1600000000

Performance Considerations

Broad rules are slow. Unique strings perform better than common ones.

Test against large file sets before deployment. A rule that scans quickly on one file might cause timeouts on large directories.

Use fast strings (atoms) when possible. YARA extracts short substrings from patterns for initial filtering—longer, more unique atoms improve performance.