Category Archives: YARA

Yara python module – part 003 .

You can test your yara rules by using first the yara command tool from windows or linux.
The last version come with source code :

For example this rule show us how to find files by size:

This rule find files by specify the size conditions MB, KB and return the result.
Then can be tested with yara command tool:

This show us the rule is working well and can be used also with yara python module.

Posted in All, Commands, Python, YARA. Tagged with , , , , , .

Yara python module – part 002 .

Before we start, I have to tell you that it is the continuation of an older tutorial you find here.
As you know the YARA is tool aimed at helping malware researchers to identify and classify malware samples.
The YARA tool help you to create descriptions of malware families based on textual or binary patterns.
This patterns – rules come with description consists of a set of strings and a boolean expression which determine its logic.
The YARA tool can be found on the official website.
First you need to install the python version
I used the version.
You need to use Python 3.5.0 version from here.
Let’s test the yara python module:

You can see the yara python module works well.
Let’s make a rule and test with a PDF file. This rule will tell us if the PDF come with links.
The rule is one file named detectpdflinks into this path:
The source code of this rule is:

Now will make the python script to use this yara rule with one pdf file:

You can see the uri on the variable named $the_uri.

Posted in All, Programming, Python, YARA. Tagged with , , , , , .

Yara python module – part 001 .

YARA is a multi-platform program running on Windows, Linux and Mac OS X.
More about yara python module can be see it here
YARA used this keywords with rules under files.

The Yara documentation can be found in this link.
The yara python module use version 1.7.7 and this will need to use when make rules.
Instalation with pip :

Let’s see this in action.
First you need to make your user under your_user account.
I make one folder named yara to keep the my rules, see:

and I test this file named doc_data.txt, from here:

The file has this text :

and the rule file detectstring has this rule:

You can use python shell with this source code:

The above rule is telling YARA that the file containing the string must be reported.
The print will show the rule compiled and the result.
yara python

Posted in All, Programming, Python, YARA. Tagged with , , , , , .