MENU
      Contents x
      YARA Manager
      • 05 May 2025
      • 1 Minute to read
      • Print
      • Dark
      Contents

      YARA Manager

      • Updated on 05 May 2025
      • 1 Minute to read
      • Print
      • Dark
      Article summary

      The YARA manager Extension allows you to reference external YARA rules (rules maintained in GitHub, for example) to use in your YARA scans within LimaCharlie.

      YARA rule sources defined in the YARA manager configuration will be synced every 24 hours, and can be manually synced by clicking the Manual Sync button on the extension page.

      If you add rule sources and want them to become available immediately, you will need to click the Manual Sync button to trigger the initial sync of the rules.

      Rule sources can be either direct links (URLs) to a given YARA rule or ARLs.

      Option 1: Predefined YARA rules

      LimaCharlie provides a list of YARA rule repositories, to leverage these rules select “Predefined” and a list of LimaCharlie and Community rules will populate. These rules will then appear in your YARA rules under Automation → YARA Rules.

      Option 2: Publicly available YARA rules

      An example of setting up a rule using this repo: Yara-Rules

      For an Email and General Phishing Exploit rule we could use the following URL, which is a link to a single YARA rule.

      https://raw.githubusercontent.com/Yara-Rules/rules/master/email/Email_generic_phishing.yar

      For creating a rule out of multiple YARA rules, we could use the following ARL, which is a link to a directory of YARA rules.

      [github,Yara-Rules/rules/email]

      Giving the rule configuration a name, the URL or ARL, and clicking the Save button will create the new rule source to sync to your YARA rules.

      Option 3: Private YARA Repository

      To use a YARA rule from a private Gihub repository you will need to make use of an Authentication Resource Locator.

      Step 1: Create a token in GitHub
      In GitHub go to Settings and click Developer settings in the left hand side bar.

      Next click Personal access token followed by Generate new token. Select repo permissions and finally Generate token.

      Step 2: Connect LimaCharlie to you GitHub Repository
      Inside of LimaCharlie, click on Yara Manager in the left hand menu. Then click Add New Yara Configuration.

      Give your rule a name and then use the token you generated with the following format linked to your repo.

      [github,my-org/my-repo-name/path/to/rule.yar,token,bfuihferhf8erh7ubhfey7g3y4bfurbfhrb]

      or

      [github,my-org/my-repo-name/path/to/rules_directory,token,bfuihferhf8erh7ubhfey7g3y4bfurbfhrb]

      Was this article helpful?
      Related articles
      What's Next