About Creating Custom YARA Rules
You can upload and configure YARA rules, but you must create them outside FireEye appliances. This section contains a brief overview of creatig custom YARA rules.
YARA Rule Guidelines
When creating custom YARA rules, follow these guidelines.
- YARA rules must conform to the supported version of YARA. See the Release Notes for the YARA version supported by this release of the appliance. For details about YARA, see yara Documentation by Victor Alvarez.
- YARA rule names cannot contain spaces.
- Each YARA rule must include the
weight=option. When the cumulative weight assigned to a file reaches 100, an alert will be generated. If theweight=option is omitted, the rule will not be triggered. You can set the weight to 100 to generate an alert immediately when one rule is matched. - YARA rule names cannot begin with
FE_. If you attempt to upload a rule that begins withFE_, the upload fails and an error occurs. - The total number of YARA rules uploaded across all files uploaded cannot exceed 5,000.
- Multiple YARA rules can be specified in a single file. However, all rule names must be unique across all uploaded files.
YARA Rule Files
- Each YARA file you upload to your Malware Analysis appliance must have a unique file name.
-
File names can include the following values: letters (
a‑z,A‑Z), numbers (0‑9), underscores (_), periods (.), plus and minus signs (+,-), single quotes (‘), and left and right parentheses.Any other characters are replaced with the minus sign (
-). For example, if you upload a file namedhello%hello.doc, the file is renamed and stored on the appliance ashello‑hello.doc. - Before you upload a file of YARA rules, test the file.
-
Maintain copies of your custom YARA rules files on your local system or in another storage area that is not on the appliance.
IMPORTANT! The reset factory keep-all-configCLI command does not preserve uploaded YARA rules.
YARA Rule Format
YARA rules typically contain the following sections, although variations are allowed:
- Strings definition: This section is optional and can be omitted if the rule does not rely on any string.
- Condition: This section is always required.
Each string has an identifier consisting of a ' $ ' character followed by one or more alphanumeric characters and underscores. These identifiers can be used in the condition section to refer to the corresponding string. Strings can be defined in text or hexadecimal form.
Example 1
The following example shows a rule called SilentBanker. The rule instructs YARA that files containing the string "win.exe" and any of the two URLs belong to the SilentBanker family and are reported as SilentBanker. If two of these URLs are detected, the cummulative weight of 100 will be reached and a YARA alert will be triggered.
rule SilentBanker
{
meta:
Author = "Author Name"
Description ="yara triggering on 1MB size"
weight = 50
strings:
$a = "win.exe"
$b = "http://foo.com/badfile1.exe"
$c = "http://bar.com/badfile2.exe"
condition:
$a and ($b or $c)
}Example 2
The following example shows a rule called block_all_1mb_plus_files. The rule instructs YARA that files larger than 1000 KB should trigger a YARA alert.
rule block_all_1mb_plus_files
{
meta:
Author = "Author Name"
Description ="yara triggering on 1MB size"
weight = 100
strings:
// there are no strings in this example
condition:
// use the "filesize" keyword
filesize > 1000KB
}