02_Creating_A_Yara_Rule

For this lab, you’ll need the machine from the first lab where we installed Yara. You should be able to type `yara --help` at the command line.

YARA rules are akin to the familiar 'grep' statements, designed to match specific strings within files. At their core, they are straightforward and intuitive to write. As you learn the basics, you'll find that even the more complex rules/signatures encountered in real-world scenarios become decipherable and manageable.

In this lab we’ll craft basic YARA rules focused on string matching, laying the foundation for more advanced usage in the future. (Yara Rules Documentation Here)

Create a folder to work in for this lab:

mkdir /home/student/my_rules
cd /home/student/my_rules

Untitled

In this initial activity, we'll create a benign text file containing the words 'hello world' to demonstrate YARA's pattern-matching capabilities. This exercise mirrors the essence of signature-based detection: once malicious patterns are identified, specific rules can be crafted to detect these signatures. By understanding this foundational concept with a simple text file, you'll appreciate how YARA rulesets are built and incorporated by security professionals to identify malware.

Create a file called example_file.txt

pico example_file.txt

Write ‘hello world’ and save it.

be sure it is all lowercase.

Untitled

We'll craft a basic YARA rule named `simple_rule.yar`. This rule will contain three fundamental sections commonly found in YARA rules: `meta`, `strings`, and `condition`. Each section serves a distinct purpose:

meta: Provides metadata about the rule, like its author or a brief description.
- You can create literally any variable you want in this section. It’s ‘metadata.’
strings: Defines the patterns or strings we want to search for.
condition: Specifies the conditions under which the rule should trigger a match.

Create a file called simple_rule.yar using pico

pico simple_rule.yar

Copy and paste the following:

rule MyRule1
{
    meta:
        description = "The meta section is optional"
        beck_statement = "We can include anything here."
        important =  "Often times it will include information like file hashes or links to more info"
        link = "<https://cyberlessons101.com>"

    strings:
        $text_string = "hello world"

    condition:
        $text_string
}

For this lab, you’ll need the machine from the first lab where we installed Yara. You should be able to type yara --help at the command line.

In this lab we’ll craft basic YARA rules focused on string matching, laying the foundation for more advanced usage in the future. (Yara Rules Documentation Here)

Create a folder to work in for this lab:

Create a file called example_file.txt

Write ‘hello world’ and save it.

We'll craft a basic YARA rule named simple_rule.yar. This rule will contain three fundamental sections commonly found in YARA rules: meta, strings, and condition. Each section serves a distinct purpose:

Create a file called simple_rule.yar using pico

Copy and paste the following:

For this lab, you’ll need the machine from the first lab where we installed Yara. You should be able to type `yara --help` at the command line.

We'll craft a basic YARA rule named `simple_rule.yar`. This rule will contain three fundamental sections commonly found in YARA rules: `meta`, `strings`, and `condition`. Each section serves a distinct purpose: