A plethora of different tools exist to detect threats to the corporate network. Some of these detections are based on network signatures, while some others are based on files or behavior on the endpoints or on the servers of the company. Most of these solutions use existing rules to detect danger, which hopefully are updated often. But what happens when the security staff wants to add custom rules for detection or do their own incident response on endpoints using specific rules? This is where YARA comes into play.
What is YARA?
YARA is a free and open-source tool aimed at helping security staff detect and classify malware, but it should not be limited to this single purpose. YARA rules can also help detect specific files or whatever content you might want to detect.
SEE: 40+ open source and Linux terms you need to know (TechRepublic Premium)
YARA comes as a binary that can be launched against files, taking YARA rules as arguments. It works on Windows, Linux and Mac operating systems. It can also be used in Python scripts using the YARA-python extension.
YARA rules are text files that contain items and conditions that trigger a detection when met. These rules can be launched against a single file, a folder containing several files or even a full file system.
What can YARA be used for?
Here are a few ways you can use YARA.
The main use of YARA, and the one it was initially created for in 2008, is to detect malware. You need to understand it does not work as a traditional antivirus software. While the latter mostly detects static signatures of a few bytes in binary files or suspicious file behavior, YARA can enlarge detection by using specific components combinations. Therefore, it is possible to create YARA rules to detect whole families of malware and not just a single variant. The ability to use logical conditions to match a rule makes it a very flexible tool for detecting malicious files.
Also, it should be noted that in this context it is also possible to use YARA rules not only on files but also on memory dumps.
During incidents, security and threat analysts sometimes need to quickly examine if one particular file or content is hidden somewhere on an endpoint or even on all the corporate network. One solution to detect a file no matter where it is located can be to build and use specific YARA rules.
Quick classification of content
The use of YARA rules can make a real file triage when needed. Classification of malware by family can be optimized using YARA rules. Yet rules need to be very precise to avoid false positives.
Incoming network connection analysis
It is possible to use YARA in a network context, to detect malicious content that is sent to the corporate network to protect. YARA rules can be launched on e-mails and especially on their attached files, or on other parts of the network, like HTTP communications on a reverse proxy server, for example. Of course, it can be used as an addition to already existing analysis software.
SEE: Linux turns 30: Celebrating the open source operating system (free PDF) (TechRepublic)
Outgoing network communication analysis
Outgoing communication can be analyzed using YARA rules to detect outgoing malware communications but also to try to detect data exfiltration. Using specific YARA rules based on custom rules made to detect legitimate documents from the company might work as a data loss prevention system and detect a possible leak of internal data.
YARA is a mature product and therefore several different EDR (Endpoint Detection and Response) solutions allow personal YARA rules to be integrated into it, making it easier to run detections on all the endpoints with a single click.
How do I install YARA?
YARA is available for different operating systems: macOS, Windows, and Linux.
How to install YARA on macOS
YARA can be installed on macOS using Homebrew. Simply type and execute the command:
brew install YARA
After this operation, YARA is ready for use in the command line.
How to install YARA on Windows
YARA offers Windows binaries for easy use. Once the zip file is downloaded from the website, it can be unzipped in any folder and contains two files: Yara64.exe and Yarac64.exe (or Yara32.exe and Yarac32.exe, if you chose the 32-bit version of the files).
It is then ready to work on the command line.
How to install YARA on Linux
YARA can be installed directly from its source code. Download it here by clicking on the source code (tar.gz) link, then extract the files and compile it. As an example we’ll use version 4.1.3 of YARA, the latest version at the time of this writing, on an Ubuntu system.
Please note that a few packages are mandatory and should be installed prior to installing YARA:
sudo apt install automake libtool make gcc pkg-config
Once done, run the extraction of the files and the installation:
tar -zxf YARA-4.1.3.tar.gz
sudo make install
YARA is easy to install–the most difficult part is learning how to write efficient YARA rules, which I’ll explain in my next article.
Disclosure: I work for Trend Micro, but the views expressed in this article are mine.