• 20 May 2023
  • 1 Minute to read
  • Contributors
  • Dark


  • Dark

Article summary


A yara record in hive has a very basic format:

    "rule": "data"

The data portion of the records in this hive must have a single key called rule who's value will be the yara rule content used by various LimaCharlie components.

A single rule record can contain a series of actual Yara rule, like this: https://github.com/Yara-Rules/rules/blob/master/malware/APT_APT1.yar
## Permissions
The yara hive requires the following permissions for the various operations:

  • yara.get
  • yara.set
  • yara.del
  • yara.get.mtd
  • yara.set.mtd


Yara rules can be create in the yara Hive. Those rules will then be available, either through the ext-yara Extension, or directly using the yara_scan command directly using the reference hive://yara/your-rule-name.


Let's create a new Yara rule using the LimaCharlie CLI in a terminal.
Assuming you have a Yara rule in the rule.yara file.

Load the rule in the LimaCharlie Hive via the CLI:

$ limacharlie hive set yara --key my-rule --data rule.yara --data-key rule

You should get a confirmation that the rule was created, including metadata of the rule associated OID:

  "guid": "d88826b7-d583-4bcc-b7d3-4f450a12e1be",
  "hive": {
    "name": "yara",
    "partition": "8cbe27f4-aaaa-bbbb-cccc-138cd51389cd"
  "name": "my-rule"

Next, assuming you want to issue a scan command directly to a sensor (via the Console or a D&R rule):

yara_scan hive://yara/my-rule

Was this article helpful?

What's Next