YARA
  • 12 Mar 2024
  • 2 Minutes to read
  • Contributors
  • Dark
    Light

YARA

  • Dark
    Light

Article summary

The YARA extension is designed to help you with all aspects of YARA scanning. It takes what is normally a manual piecewise process, provides a framework and automates it. Once configured, YARA scans can be run on demand for a particular endpoint or continuously in the background across your entire fleet.

Yara configurations are synchronized with sensors every few minutes.

There are three main sections to the YARA job:

  • Sources
  • Rules
  • Scan
Where Does My YARA Scan?

Automated YARA scanners in LimaCharlie will run on all files loaded in memory (e.g. exe, dll, etc), and on the memory itself.

Files on disk can be scanned using a sensor command. You can trigger a Manual Scan that's run on-demand by:

  • Clicking the Run YARA scan button on the sensor details page,
  • Clicking the Scan button on the YARA Scanners page
  • Using the console
  • Within the Response section of a D&R rule (sample below)
  • Using the LimaCharlie API

Rules

This is where you define your YARA rule(s). You can copy and paste your YARA rules into the Rule box, or you can define sources via the ext-yara-manager. Sources can be either direct links (URLs) to a given YARA rule (or directory of rules) or ARLs to a YARA rule.

Screenshot 2024-01-29 at 2.10.35 PM.png

Scanners

Scanners define which sets of sensors should be scanned with which sets of YARA rules.

Filter tags are tags that must ALL be present on a sensor for it to match (AND condition), while the platform of the sensor much match one of the platforms in the filter (OR condition).

To apply YARA rules to scan an endpoint (or set of endpoints), you must select the platform or tags, and then add the YARA rules you would like to run.

Using Yara in D&R Rules

If you want to trigger a Yara scan as a response to one of your detections, you can configure an extension request in the respond block of a rule.
A Yara scan request can be executed with a blank selector OR sensor id. However, one of them must be specifed

- action: extension request
  extension action: scan
  extension name: ext-yara
  extension request:
		sources: [ ]# Specify Yara Rule sources as strings
		selector: ''
        sid: '{{ .routing.sid }}' # Use a sensor selector OR a sid, **not both**
		yara_scan_ttl: 86400 # "Default: 1 day (86,400 seconds)"

Migrating D&R Rule from legacy Service to new Extension

LimaCharlie is migrating away from Services to a new capability called Extensions. Support of legacy services will end on June 30, 2024.


The Python CLI gives you a direct way to assess if any rules reference legacy Yara service, preview the change and execute the conversion required in the rule "response".

Command line to preview Yara rule conversion:

limacharlie extension convert_rules --name ext-yara

A dry-run response (default) will display the rule name being changed, a JSON of the service request rule and a JSON of the incoming extension request change.

To execute the change in the rule, explicitly set --dry-run flag to --no-dry-run

Command line to execute Yara rule conversion:

limacharlie extension convert_rules --name ext-yara --no-dry-run

Was this article helpful?

What's Next