A fork from https://github.com/virustotal/yara.git. The code has been stripped and the build-system has been swiched to CMake.
Switch branches/tags
Nothing to show
Clone or download
Latest commit c6c250d Dec 11, 2018
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
dist Update RPM spec May 27, 2015
extra Updating Yara to version 3.5.0. Apr 18, 2017
include Merge tag 'v3.8.0' of https://github.com/virustotal/yara Aug 7, 2018
libyara Merge tag 'v3.8.0' of https://github.com/virustotal/yara Aug 7, 2018
modules Merge tag 'v3.8.0' of https://github.com/virustotal/yara Aug 7, 2018
proc Merge tag 'v3.8.0' of https://github.com/virustotal/yara Aug 7, 2018
tests Determine equality of floating point values as abs(A-B) < epsilon ins… Aug 2, 2018
yara-python Merge branch 'master' of github.com:plusvic/yara Oct 30, 2015
.gitignore Implement calculation of atom quality based in a prevalence table (#904) Jul 6, 2018
.travis.yml Enable Coverity scan. May 30, 2018
AUTHORS Add Hilko Bengen to AUTHORS and CONTRIBUTORS May 13, 2015
CMakeLists.txt Merge tag 'v3.8.0' of https://github.com/virustotal/yara Aug 7, 2018
CONTRIBUTORS Some re-styling in dex module. Add adesnos to CONTRIBUTORS. Feb 7, 2018
README.md Update README.md (#900) Jun 28, 2018
ahocorasick.c Merge tag 'v3.8.0' of https://github.com/virustotal/yara Aug 7, 2018
appveyor.yml Set version number to 3.8.0 Aug 6, 2018
arena.c Merge tag 'v3.8.0' of https://github.com/virustotal/yara Aug 7, 2018
atoms.c Merge tag 'v3.8.0' of https://github.com/virustotal/yara Aug 7, 2018
bitmask.c Merge tag 'v3.8.0' of https://github.com/virustotal/yara Aug 7, 2018
common.h Allow using "-" in command-line to read files rules from stdin. Aug 1, 2018
compiler.c Merge tag 'v3.8.0' of https://github.com/virustotal/yara Aug 7, 2018
endian.c Updating Yara to the latest version (3.6). Jun 22, 2017
exception.h Merge tag 'v3.8.0' of https://github.com/virustotal/yara Aug 7, 2018
exec.c Merge tag 'v3.8.0' of https://github.com/virustotal/yara Aug 7, 2018
exefiles.c Merge tag 'v3.8.0' of https://github.com/virustotal/yara Aug 7, 2018
filemap.c Merge tag 'v3.8.0' of https://github.com/virustotal/yara Aug 7, 2018
grammar.c Merge tag 'v3.8.0' of https://github.com/virustotal/yara Aug 7, 2018
grammar.h Merge tag 'v3.8.0' of https://github.com/virustotal/yara Aug 7, 2018
grammar.y Merge tag 'v3.8.0' of https://github.com/virustotal/yara Aug 7, 2018
hash.c Merge tag 'v3.8.0' of https://github.com/virustotal/yara Aug 7, 2018
hex_grammar.c Merge tag 'v3.8.0' of https://github.com/virustotal/yara Aug 7, 2018
hex_grammar.h Merge tag 'v3.8.0' of https://github.com/virustotal/yara Aug 7, 2018
hex_grammar.y Merge tag 'v3.8.0' of https://github.com/virustotal/yara Aug 7, 2018
hex_lexer.c Merge tag 'v3.8.0' of https://github.com/virustotal/yara Aug 7, 2018
hex_lexer.l Merge tag 'v3.8.0' of https://github.com/virustotal/yara Aug 7, 2018
lexer.c Merge tag 'v3.8.0' of https://github.com/virustotal/yara Aug 7, 2018
lexer.l Merge tag 'v3.8.0' of https://github.com/virustotal/yara Aug 7, 2018
libyara.c Merge tag 'v3.8.0' of https://github.com/virustotal/yara Aug 7, 2018
mem.c Merge tag 'v3.8.0' of https://github.com/virustotal/yara Aug 7, 2018
modules.c Merge tag 'v3.8.0' of https://github.com/virustotal/yara Aug 7, 2018
object.c Merge tag 'v3.8.0' of https://github.com/virustotal/yara Aug 7, 2018
parser.c Merge tag 'v3.8.0' of https://github.com/virustotal/yara Aug 7, 2018
proc.c Merge tag 'v3.8.0' of https://github.com/virustotal/yara Aug 7, 2018
re.c Merge tag 'v3.8.0' of https://github.com/virustotal/yara Aug 7, 2018
re_grammar.c Merge tag 'v3.8.0' of https://github.com/virustotal/yara Aug 7, 2018
re_grammar.h Merge tag 'v3.8.0' of https://github.com/virustotal/yara Aug 7, 2018
re_grammar.y Merge tag 'v3.8.0' of https://github.com/virustotal/yara Aug 7, 2018
re_lexer.c Merge tag 'v3.8.0' of https://github.com/virustotal/yara Aug 7, 2018
re_lexer.l Merge tag 'v3.8.0' of https://github.com/virustotal/yara Aug 7, 2018
rules.c Merge tag 'v3.8.0' of https://github.com/virustotal/yara Aug 7, 2018
sample.file Change license to 3-clause BSD Jun 24, 2016
scan.c Merge tag 'v3.8.0' of https://github.com/virustotal/yara Aug 7, 2018
scanner.c Merge tag 'v3.8.0' of https://github.com/virustotal/yara Aug 7, 2018
sizedstr.c Updating Yara to the latest version (3.6). Jun 22, 2017
stopwatch.c Merge tag 'v3.8.0' of https://github.com/virustotal/yara Aug 7, 2018
stream.c Updating Yara to version 3.5.0. Apr 18, 2017
strutils.c Merge tag 'v3.8.0' of https://github.com/virustotal/yara Aug 7, 2018
threading.c Merge tag 'v3.8.0' of https://github.com/virustotal/yara Aug 7, 2018
threading.h Merge tag 'v3.8.0' of https://github.com/virustotal/yara Aug 7, 2018
yara.c Sort command-line options alphabetically. Aug 1, 2018
yara.man Update man page. Aug 1, 2018
yara_errors.cpp Increased the limits to allow long Yara rules (see previous commit fo… Jun 26, 2017
yara_errors.h Added a function which translates Yara error codes into messages base… Dec 14, 2015
yara_wrapper.cpp Fixed a rare double-free which occurred when a rule switch failed. Dec 10, 2018
yara_wrapper.h Fixed a rare double-free which occurred when a rule switch failed. Dec 10, 2018
yarac.c Sort command-line options alphabetically. Aug 1, 2018

README.md

Join the chat at https://gitter.im/VirusTotal/yara Travis build status AppVeyor build status Coverity status

YARA in a nutshell

YARA is a tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples. With YARA you can create descriptions of malware families (or whatever you want to describe) based on textual or binary patterns. Each description, a.k.a rule, consists of a set of strings and a boolean expression which determine its logic. Let's see an example:

rule silent_banker : banker
{
    meta:
        description = "This is just an example"
        threat_level = 3
        in_the_wild = true

    strings:
        $a = {6A 40 68 00 30 00 00 6A 14 8D 91}
        $b = {8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9}
        $c = "UVODFRYSIHLNWPEJXQZAKCBGMT"

    condition:
        $a or $b or $c
}

The above rule is telling YARA that any file containing one of the three strings must be reported as silent_banker. This is just a simple example, more complex and powerful rules can be created by using wild-cards, case-insensitive strings, regular expressions, special operators and many other features that you'll find explained in YARA's documentation.

YARA is multi-platform, running on Windows, Linux and Mac OS X, and can be used through its command-line interface or from your own Python scripts with the yara-python extension.

Additional resources

If you plan to use YARA to scan compressed files (.zip, .tar, etc) you should take a look at yextend, a very helpful extension to YARA developed and open-sourced by Bayshore Networks.

Additionally, the guys from InQuest have curated an awesome list of YARA-related stuff.

Who's using YARA

Are you using it? Want to see your site listed here?