Name: Yara Authoring
Author: elizaOS

YARA Rule Authoring

When to Use

Writing YARA rules to detect malware samples or families
Creating detection signatures for indicators of compromise (IOCs)
Scanning files or directories for known threat patterns
Building threat hunting rules from intelligence reports
Classifying unknown samples based on behavioral or structural patterns

When NOT to Use

Dynamic malware analysis (use sandbox environments)
Network traffic analysis (use Suricata/Snort rules)
Static analysis of source code (use Semgrep/CodeQL)

Rule Template

rule MalwareFamily_Variant : tag1 tag2 {
    meta:
        author = "analyst"
        description = "Detects MalwareFamily variant based on unique strings"
        date = "2024-01-01"
        reference = "https://example.com/report"
        hash = "abc123..."
        severity = "high"

    strings:
        $s1 = "unique_malware_string" ascii
        $s2 = { 4D 5A 90 00 03 00 }  // hex pattern
        $s3 = /https?:\/\/[a-z0-9]+\.evil\.com/ nocase  // regex

    condition:
        uint16(0) == 0x5A4D and  // MZ header (PE file)
        filesize < 5MB and
        (2 of ($s*))
}

YARA Rule Authoring

When to Use

Writing YARA rules to detect malware samples or families
Creating detection signatures for indicators of compromise (IOCs)
Scanning files or directories for known threat patterns
Building threat hunting rules from intelligence reports
Classifying unknown samples based on behavioral or structural patterns

When NOT to Use

Dynamic malware analysis (use sandbox environments)
Network traffic analysis (use Suricata/Snort rules)
Static analysis of source code (use Semgrep/CodeQL)

Rule Template

rule MalwareFamily_Variant : tag1 tag2 {
    meta:
        author = "analyst"
        description = "Detects MalwareFamily variant based on unique strings"
        date = "2024-01-01"
        reference = "https://example.com/report"
        hash = "abc123..."
        severity = "high"

    strings:
        $s1 = "unique_malware_string" ascii
        $s2 = { 4D 5A 90 00 03 00 }  // hex pattern
        $s3 = /https?:\/\/[a-z0-9]+\.evil\.com/ nocase  // regex

    condition:
        uint16(0) == 0x5A4D and  // MZ header (PE file)
        filesize < 5MB and
        (2 of ($s*))
}

Type	Syntax	Use Case
Text	`"string"`	ASCII strings
Hex	`{ AA BB CC }`	Byte patterns, shellcode
Regex	`/pattern/`	Flexible text matching

Yara Authoring

YARA Rule Authoring

When to Use

When NOT to Use

Rule Template

Yara Authoring

YARA Rule Authoring

When to Use

When NOT to Use

Rule Template

String Types

Modifiers

Condition Operators

1password

Springboot Security

Security Review

Laravel Security

Security Review

Django Security