Repository of yara rules
Shell
Switch branches/tags
Nothing to show
Clone or download
Permalink
Failed to load latest commit information.
Antidebug_AntiVM Adding malware/APT_Grasshopper.yar Apr 7, 2017
CVE_Rules Create CVE-2018-4878.yar Feb 4, 2018
Crypto Moved Crypto/base64.yar to utils/base64.yar according to #239 and reg… Jul 1, 2017
Exploit-Kits Update and rename Zeus_EK.yar to EK_Zeus.yar Jul 20, 2016
Malicious_Documents Create Maldoc_Word_2007_XML_Flat_OPC.yar May 23, 2018
Mobile_Malware Create Android_Tempting_Cedar_Spyware.yar Mar 6, 2018
Packers emotet Packer update Dec 12, 2017
Webshells Comment webshell_generic_php_5 Oct 10, 2017
email Update Email_generic_phishing Jan 3, 2018
malware Update TOOLKIT_Mandibule.yar Jun 2, 2018
utils Merge pull request #247 from FliegenEinhorn/master Jul 11, 2017
.gitmodules Added module yara-forensics. May 2, 2017
.travis.yml Update .travis.yml Jun 2, 2018
Antidebug_AntiVM_index.yar Updating indexes. Jun 2, 2018
CVE_Rules_index.yar Updating indexes. Jun 2, 2018
Crypto_index.yar Updating indexes. Jun 2, 2018
Exploit-Kits_index.yar Updating indexes. Jun 2, 2018
LICENSE Initial commit Apr 11, 2015
Malicious_Documents_index.yar Updating indexes. Jun 2, 2018
Mobile_Malware_index.yar Updating indexes. Jun 2, 2018
Packers_index.yar Updating indexes. Jun 2, 2018
README.md Small typo on Algorithms May 20, 2018
Webshells_index.yar Updating indexes. Jun 2, 2018
email_index.yar Updating indexes. Jun 2, 2018
index.yar Index updated Feb 6, 2018
index_gen.sh Updating indexes. Jun 2, 2018
index_w_mobile.yar Index updated Feb 6, 2018
malware_index.yar Updating indexes. Jun 2, 2018

README.md

Build Status

Project

This project covers the need of a group of IT Security Researchers to have a single repository where different Yara signatures are compiled, classified and kept as up to date as possible, and began as an open source community for collecting Yara rules. Our Yara ruleset is under the GNU-GPLv2 license and open to any user or organization, as long as you use it under this license.

Yara is becoming increasingly used, but knowledge about the tool and its usage is dispersed across many different places. The Yara Rules project aims to be the meeting point for Yara users by gathering together a ruleset as complete as possible thusly providing users a quick way to get Yara ready for usage.

We hope this project is useful for the Security Community and all Yara Users, and are looking forward to your feedback. Join this community by subscribing to our mailing list.

Contribute

If you’re interested in sharing your Yara rules with us and the Security Community, you can join our mailing list, send a message to our Twitter account or send a pull request here.

Twitter account: https://twitter.com/yararules

Mailing list : http://list.yararules.com/mailman/listinfo/yararules.com.signatures

Requirements

Yara version 3.0 or higher is required for most of our rules to work. This is mainly due to the use of the "pe" module introduced in that version.

You can check your installed version with yara -v

Packages available in Ubuntu 14.04 LTS default repositories are too old. You can alternatively install from source or use the packages available in the Remnux repository.

Also, you will need Androguard Module if you want to use the rules in the 'mobile_malware' category.

Categories

Anti-debug/Anti-VM

In this section you will find Yara Rules aimed toward the detection of anti-debug and anti-virtualization techniques used by malware to evade automated analysis.

CVE_Rules

In this section you will find Yara Rules specialised toward the identification of specific Common Vulnerabilities and Exposures (CVEs)

Crypto

In this section you will find Yara rules aimed toward the detection and existence of cryptographic algorithms.

Exploit Kits

In this section you will find Yara rules aimed toward the detection and existence of Exploit Kits.

Malicious Documents

In this section you will find Yara Rules to be used with documents to find if they have been crafted to leverage malicious code.

Malware

In this section you will find Yara rules specialised toward the identification of well-known malware.

Packers

In this section you will find Yara Rules aimed to detect well-known software packers, that can be used by malware to hide itself.

WebShells

In this section you will find Yara rules specialised toward the identification of well-known webshells.

Email

In this section you will find Yara rules specialised toward the identification of malicious e-mails.

Malware Mobile

In this section you will find Yara rules specialised toward the identification of well-known mobile malware.

Many rules in this section use the Androguard module developed by the people over at https://koodous.com/.

You can get it, along with installation instructions, at https://github.com/Koodous/androguard-yara

Contact

Webpage: http://yararules.com

Twitter account: https://twitter.com/yararules

Mail list : http://list.yararules.com/mailman/listinfo/yararules.com.signatures