YARA Manager
  • 27 Aug 2024
  • 1 Minute to read
  • Contributors
  • Dark
    Light
  This documentation version is deprecated, please click here for the latest version.

YARA Manager

  • Dark
    Light

Article summary

The YARA manager extension allows you to reference external YARA rules (rules maintained in GitHub, for example) to use in your YARA scans within LimaCharlie.

YARA rule sources defined in the YARA manager configuration will be synced every 24 hours, and can be manually synced by clicking the Manual Sync button on the extension page.

If you add rule sources and want them to become available immediately, you will need to click the Manual Sync button to trigger the initial sync of the rules.

Rule sources can be either direct links (URLs) to a given YARA rule or ARLs.

Option 1: Publicly available YARA rules

An example of setting up a rule using this repo: Yara-Rules

For an Email and General Phishing Exploit rule we could use the following URL, which is a link to a single YARA rule.

https://raw.githubusercontent.com/Yara-Rules/rules/master/email/Email_generic_phishing.yar

For creating a rule out of multiple YARA rules, we could use the following ARL, which is a link to a directory of YARA rules.

[github,Yara-Rules/rules/email]

Giving the rule configuration a name, the URL or ARL, and clicking the Save button will create the new rule source to sync to your YARA rules.

Option 2: Private YARA Repository

To use a YARA rule from a private Gihub repository you will need to make use of an Authentication Resource Locator.

Step 1: Create a token in GitHub
In GitHub go to Settings and click Developer settings in the left hand side bar.

Next click Personal access token followed by Generate new token. Select repo permissions and finally Generate token.

Step 2: Connect LimaCharlie to you GitHub Repository
Inside of LimaCharlie, click on Yara Manager in the left hand menu. Then click Add New Yara Configuration.

Give your rule a name and then use the token you generated with the following format linked to your repo.

[github,my-org/my-repo-name/path/to/rule.yar,token,bfuihferhf8erh7ubhfey7g3y4bfurbfhrb]

or

[github,my-org/my-repo-name/path/to/rules_directory,token,bfuihferhf8erh7ubhfey7g3y4bfurbfhrb]


Was this article helpful?

What's Next