The pattern matching swiss knife
Clone or download
Latest commit de68844 Jan 19, 2019
Type Name Latest commit message Commit time
Failed to load latest commit information.
dist Update RPM spec May 27, 2015
docs Add notice in documentation about yr_rules_scan_XXXX functions not be… Dec 19, 2018
extra Update CodeMirror mode (#986) Nov 20, 2018
libyara Add a TODO comment. Jan 19, 2019
m4 Spelling (#582) Dec 15, 2016
tests Add a test for #1015 Jan 19, 2019
windows Add Visual Studio 2017 compatibility (#997) Dec 19, 2018
.gitignore Add Visual Studio 2017 compatibility (#997) Dec 19, 2018
.travis.yml Enable address sanitizer when building YARA in Travis-CI. Dec 4, 2018
AUTHORS Add Hilko Bengen to AUTHORS and CONTRIBUTORS May 13, 2015
CONTRIBUTORS Some re-styling in dex module. Add adesnos to CONTRIBUTORS. Feb 7, 2018
COPYING Change license to 3-clause BSD Jun 24, 2016 Link tests with static libyara. Aug 14, 2018 Added Nextron Systems to the list (#992) Dec 19, 2018
appveyor.yml Call yr_initialize before running test cases. Aug 16, 2018
args.c Fix argument size when setting booleans. (#927) Aug 8, 2018
args.h Spelling (#582) Dec 15, 2016 Fix issues while building in some systems Dec 1, 2014 Make executable (chmod +x Jan 16, 2018
common.h is_integer(): Reject empty strings (#942) Aug 29, 2018 Set version number to 3.8.1 Aug 14, 2018
sample.file Change license to 3-clause BSD Jun 24, 2016
sample.rules Initial import Sep 26, 2008
threading.c Fixed occasional 'internal error: 31' when running multiple instances… Sep 3, 2018
threading.h Windows mutex replaced with CriticalSection Nov 11, 2016
yara.c Sort command-line options alphabetically. Aug 1, 2018 Fix wrong command-line options in man page. Jan 17, 2019
yarac.c Sort command-line options alphabetically. Aug 1, 2018 Implement —fail-on-warnings command-line argument Nov 22, 2016

Join the chat at Travis build status AppVeyor build status Coverity status

YARA in a nutshell

YARA is a tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples. With YARA you can create descriptions of malware families (or whatever you want to describe) based on textual or binary patterns. Each description, a.k.a rule, consists of a set of strings and a boolean expression which determine its logic. Let's see an example:

rule silent_banker : banker
        description = "This is just an example"
        threat_level = 3
        in_the_wild = true

        $a = {6A 40 68 00 30 00 00 6A 14 8D 91}
        $b = {8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9}

        $a or $b or $c

The above rule is telling YARA that any file containing one of the three strings must be reported as silent_banker. This is just a simple example, more complex and powerful rules can be created by using wild-cards, case-insensitive strings, regular expressions, special operators and many other features that you'll find explained in YARA's documentation.

YARA is multi-platform, running on Windows, Linux and Mac OS X, and can be used through its command-line interface or from your own Python scripts with the yara-python extension.

Additional resources

If you plan to use YARA to scan compressed files (.zip, .tar, etc) you should take a look at yextend, a very helpful extension to YARA developed and open-sourced by Bayshore Networks.

Additionally, the guys from InQuest have curated an awesome list of YARA-related stuff.

Who's using YARA

Are you using it? Want to see your site listed here?