
YARA – A pattern-matching Swiss knife for malware researchers - Daviey
http://virustotal.github.io/yara/
======
xvilka
Note, that it can be integrated with radare2[1], the reverse engineering
framework and toolset. The integration will allow you to apply and generate
YARA signatures from within. There are two plugins - to use radare2 from
Yara[2], and Yara from radare2[3]. The second one you can install using the
embedded r2 package manager: `r2pm -i yara`

[1]
[https://github.com/radareorg/radare2](https://github.com/radareorg/radare2)

[2]
[https://r2yara.readthedocs.io/en/latest/](https://r2yara.readthedocs.io/en/latest/)

[3]
[https://github.com/radareorg/radare2-extras/tree/master/yara](https://github.com/radareorg/radare2-extras/tree/master/yara)

------
saagarjha
Fun fact: XProtect on macOS uses YARA to match known malicious software. The
database is at
/System/Library/CoreServices/XProtect.bundle/Contents/Resources/XProtect.yara
if you'd like to look at it yourself.

~~~
campfireveteran
Yep. And YARA lives at _/ System/Library/PrivateFrameworks/yara.framework_

I had a problem a few years ago with YARA consuming all CPU time while on
battery and never finishing whatever it was doing.

------
campfireveteran
On macOS, see also:

    
    
       /System/Library/PrivateFrameworks/yara.framework 
    
       man yara
    

PS: I wish VirusTotal had a high-rate, free API that could used as the basis
for local endpoint scanners.

------
vuln
Love me some Yara. It’s totally the best.

------
pmoriarty
YARA reminds me of the venerable "file" utility, and I wonder if YARA could be
used in place of it to identify non-malware files that "file" has trouble
identifying.

~~~
Pete_D
The syntax isn't as nice as YARA's, but you can extend file's capabilities if
you need by writing a custom magic file - see 'man 5 magic'.

------
bane
YARA is amazing, anybody have some good collections of rules?

~~~
ahje
"site:github.com filetype:yar" usually yields a few good ones. It's probably
easier if you're more specific as to which specific use case you have in mind.

And yes, Yara is a godsend. :)

------
jmpman
How well do these tools work against code built using obfuscating compilers?

------
henrygrew
YARA - Yet Another Regex App

------
pwelch
Yara is an awesome tool

