The pattern matching swiss knife
C Yacc Lex M4 C++ Makefile Other
Clone or download
Latest commit f14c5cb Aug 15, 2018
Permalink
Failed to load latest commit information.
dist Update RPM spec May 27, 2015
docs Set version number to 3.8.1 Aug 14, 2018
extra Convert logo to vectorial format Dec 10, 2015
libyara Minor style fixes. Aug 15, 2018
m4 Spelling (#582) Dec 15, 2016
tests Fix warning threshold as it was causing too many warnings after 8c11db3. Aug 15, 2018
windows/vs2015 Fix type in macro definition for in Visual Studio project. Aug 6, 2018
.gitignore Implement calculation of atom quality based in a prevalence table (#904) Jul 6, 2018
.travis.yml Enable Coverity scan. May 30, 2018
AUTHORS Add Hilko Bengen to AUTHORS and CONTRIBUTORS May 13, 2015
CONTRIBUTORS Some re-styling in dex module. Add adesnos to CONTRIBUTORS. Feb 7, 2018
COPYING Change license to 3-clause BSD Jun 24, 2016
Makefile.am Make tests find external files if run from separate build directory (#… Aug 8, 2018
README.md Update README.md (#900) Jun 28, 2018
appveyor.yml Set version number to 3.8.1 Aug 14, 2018
args.c Fix argument size when setting booleans. (#927) Aug 8, 2018
args.h Spelling (#582) Dec 15, 2016
bootstrap.sh Fix issues while building in some systems Dec 1, 2014
build.sh Make build.sh executable (chmod +x build.sh) Jan 16, 2018
common.h Allow using "-" in command-line to read files rules from stdin. Aug 1, 2018
configure.ac Set version number to 3.8.1 Aug 14, 2018
sample.file Change license to 3-clause BSD Jun 24, 2016
sample.rules Initial import Sep 26, 2008
threading.c semaphore_init: use sem_init on FreeBSD (#815) Feb 1, 2018
threading.h Windows mutex replaced with CriticalSection Nov 11, 2016
yara.c Sort command-line options alphabetically. Aug 1, 2018
yara.man Update man page. Aug 1, 2018
yarac.c Sort command-line options alphabetically. Aug 1, 2018
yarac.man Implement —fail-on-warnings command-line argument Nov 22, 2016

README.md

Join the chat at https://gitter.im/VirusTotal/yara Travis build status AppVeyor build status Coverity status

YARA in a nutshell

YARA is a tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples. With YARA you can create descriptions of malware families (or whatever you want to describe) based on textual or binary patterns. Each description, a.k.a rule, consists of a set of strings and a boolean expression which determine its logic. Let's see an example:

rule silent_banker : banker
{
    meta:
        description = "This is just an example"
        threat_level = 3
        in_the_wild = true

    strings:
        $a = {6A 40 68 00 30 00 00 6A 14 8D 91}
        $b = {8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9}
        $c = "UVODFRYSIHLNWPEJXQZAKCBGMT"

    condition:
        $a or $b or $c
}

The above rule is telling YARA that any file containing one of the three strings must be reported as silent_banker. This is just a simple example, more complex and powerful rules can be created by using wild-cards, case-insensitive strings, regular expressions, special operators and many other features that you'll find explained in YARA's documentation.

YARA is multi-platform, running on Windows, Linux and Mac OS X, and can be used through its command-line interface or from your own Python scripts with the yara-python extension.

Additional resources

If you plan to use YARA to scan compressed files (.zip, .tar, etc) you should take a look at yextend, a very helpful extension to YARA developed and open-sourced by Bayshore Networks.

Additionally, the guys from InQuest have curated an awesome list of YARA-related stuff.

Who's using YARA

Are you using it? Want to see your site listed here?