The pattern matching swiss knife
C Yacc Lex M4 C++ Makefile Other
Clone or download
Latest commit f14c5cb Aug 15, 2018
Failed to load latest commit information.
dist Update RPM spec May 27, 2015
docs Set version number to 3.8.1 Aug 14, 2018
extra Convert logo to vectorial format Dec 10, 2015
libyara Minor style fixes. Aug 15, 2018
m4 Spelling (#582) Dec 15, 2016
tests Fix warning threshold as it was causing too many warnings after 8c11db3. Aug 15, 2018
windows/vs2015 Fix type in macro definition for in Visual Studio project. Aug 6, 2018
.gitignore Implement calculation of atom quality based in a prevalence table (#904) Jul 6, 2018
.travis.yml Enable Coverity scan. May 30, 2018
AUTHORS Add Hilko Bengen to AUTHORS and CONTRIBUTORS May 13, 2015
CONTRIBUTORS Some re-styling in dex module. Add adesnos to CONTRIBUTORS. Feb 7, 2018
COPYING Change license to 3-clause BSD Jun 24, 2016 Make tests find external files if run from separate build directory (#… Aug 8, 2018 Update (#900) Jun 28, 2018
appveyor.yml Set version number to 3.8.1 Aug 14, 2018
args.c Fix argument size when setting booleans. (#927) Aug 8, 2018
args.h Spelling (#582) Dec 15, 2016 Fix issues while building in some systems Dec 1, 2014 Make executable (chmod +x Jan 16, 2018
common.h Allow using "-" in command-line to read files rules from stdin. Aug 1, 2018 Set version number to 3.8.1 Aug 14, 2018
sample.file Change license to 3-clause BSD Jun 24, 2016
sample.rules Initial import Sep 26, 2008
threading.c semaphore_init: use sem_init on FreeBSD (#815) Feb 1, 2018
threading.h Windows mutex replaced with CriticalSection Nov 11, 2016
yara.c Sort command-line options alphabetically. Aug 1, 2018 Update man page. Aug 1, 2018
yarac.c Sort command-line options alphabetically. Aug 1, 2018 Implement —fail-on-warnings command-line argument Nov 22, 2016

Join the chat at Travis build status AppVeyor build status Coverity status

YARA in a nutshell

YARA is a tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples. With YARA you can create descriptions of malware families (or whatever you want to describe) based on textual or binary patterns. Each description, a.k.a rule, consists of a set of strings and a boolean expression which determine its logic. Let's see an example:

rule silent_banker : banker
        description = "This is just an example"
        threat_level = 3
        in_the_wild = true

        $a = {6A 40 68 00 30 00 00 6A 14 8D 91}
        $b = {8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9}

        $a or $b or $c

The above rule is telling YARA that any file containing one of the three strings must be reported as silent_banker. This is just a simple example, more complex and powerful rules can be created by using wild-cards, case-insensitive strings, regular expressions, special operators and many other features that you'll find explained in YARA's documentation.

YARA is multi-platform, running on Windows, Linux and Mac OS X, and can be used through its command-line interface or from your own Python scripts with the yara-python extension.

Additional resources

If you plan to use YARA to scan compressed files (.zip, .tar, etc) you should take a look at yextend, a very helpful extension to YARA developed and open-sourced by Bayshore Networks.

Additionally, the guys from InQuest have curated an awesome list of YARA-related stuff.

Who's using YARA

Are you using it? Want to see your site listed here?