November 2019
Intermediate to advanced
346 pages
9h 36m
English
YARA is a computer language that allows a security expert to conveniently specify a rule that will then be used to classify all samples matching the rule. A minimal rule consists of a name and a condition, for example, the following:
rule my_rule_name { condition: false }
This rule will not match any file. Conversely, the following rule will match every sample:
Rule my_rule_name { condition: true }
A more useful example will match any file over 100 KB:
Rule over_100kb { condition: filesize > 100KB }
Another example is checking whether a particular file is a PDF. To do so, we check if the magic numbers of the file correspond to the PDF. Magic numbers are a sequence of several bytes that occurs at the beginning of a file and indicates ...