YARA
- 13 Feb 2023
- 2 Minutes to read
- Contributors
- Print
- DarkLight
YARA
- Updated on 13 Feb 2023
- 2 Minutes to read
- Contributors
- Print
- DarkLight
Article Summary
Share feedback
Thanks for sharing your feedback!
The YARA service is designed to help you with all aspects of YARA scanning. It takes what is normally a manual piecewise process, provides a framework and automates it. Once configured, YARA scans can be run on demand for a particular endpoint or continuously in the background across your entire fleet.
Yara configurations are synchronized with sensors every few minutes.
There are three main sections to the YARA job:
- Sources
- Rules
- Scan
Where Does My YARA Scan?
Automated YARA scanners in LimaCharlie will run on all files loaded in memory (e.g. exe, dll, etc), and on the memory itself.
Files on disk can be scanned using a sensor command. You can trigger a Manual Scan that's run on-demand by:
- Clicking the Run YARA scan button on the sensor details page,
- Clicking the Manual Scan button on the YARA Scanners section,
- Using the console,
- Within the Response section of a D&R rule,
- Using the LimaCharlie API
Sources
This is where you define the source for your particular YARA rule(s). Source URLs can be either a direct link to a given YARA rule or ARLs.
Option 1: Publicly available YARA rules
An example of setting up a source using this repo: Yara-Rules
For Email and General Phishing Exploit rules we would link the following URL, which is basically just a folder full of .yar files.
https://github.com/Yara-Rules/rules/tree/master/email
Giving the source a name and clicking the Add Source button will create the new source.
Option 2: Private YARA Repository
To use a YARA rule from a private Gihub repository you will need to make use of an Authentication Resource Locator.
Step 1: Create a token in GitHub
In GitHub go to Settings and click Developer settings in the left hand side bar.
Next click Personal access token followed by Generate new token. Select repo permissions and finally Generate token.
Step 2: Connect LimaCharlie to you GitHub Repository
Inside of LimaCharlie, click on YARA Scanners in the left hand menu. Then click Add YARA Source.
Give your rule collection a name and then use the token you generated with the following format linked to your repo.
[github,my-org/my-repo-name,token,bfuihferhf8erh7ubhfey7g3y4bfurbfhrb]
Rules
Rules define which sets of sensors should be scanned with which sets of YARA signatures (or sources).
Filter tags are tags that must ALL be present on a sensor for it to match (AND condition), while the platform of the sensor much match one of the platforms in the filter (OR condition).
Scan
To apply YARA Sources and scan an endpoint you must select the hostname and then add the YARA Sources you would like to run as a comma separated list.
REST
As with all LimaCharlie capabilities, YARA scanning can be fully automated via the REST API. The following provides a list of objectives and associated commands:
List Sources
{
"action": "list_sources"
}
List Rules
{
"action": "list_rules"
}
Add Rule
{
"action": "add_rule",
"name": "example-rule",
"sources": [
"my-source-1",
"my-source-2",
"my-source-3"
],
"tags": [
"vip",
"workstation"
],
"platforms": [
"windows",
"mac"
]
}
Add Source
{
"action": "add_source",
"name": "example-rule",
"sources": [
"my-source-1",
"my-source-2",
"my-source-3"
],
"tags": [
"vip",
"workstation"
],
"platforms": [
"windows",
"mac"
]
}
Remove Rule
{
"action": "remove_rule",
"name": "example-rule"
}
Remove Source
{
"action": "remove_source",
"name": "my-source-1"
}
Scan
{
"action": "scan",
"sid": "70b69f23-b889-4f14-a2b5-633f777b0079",
"sources": [
"my-source-1",
"my-source-2"
]
}
Was this article helpful?