YARA

YARA is a computer language that allows a security expert to conveniently specify a rule that will then be used to classify all samples matching the rule. A minimal rule consists of a name and a condition, for example, the following:

 rule my_rule_name { condition: false }

This rule will not match any file. Conversely, the following rule will match every sample:

 Rule my_rule_name { condition: true }

A more useful example will match any file over 100 KB:

 Rule over_100kb { condition: filesize > 100KB }

Another example is checking whether a particular file is a PDF. To do so, we check if the magic numbers of the file correspond to the PDF. Magic numbers are a sequence of several bytes that occurs at the beginning of a file and indicates the type of file it is. In the case of a PDF, the sequence is 25 50 44 46:

 rule is_a_pdf {
  
 strings:
   $pdf_magic = {25 50 44 46}
  
 condition:
   $pdf_magic at 0
 }

Now, let's see how to run our rules against files.