-
Notifications
You must be signed in to change notification settings - Fork 4
Configuring Yara Rules
To use custom YARA rules, modify the example rules file or create your own.
The file is located at src/cbc_binary_toolkit_examples/engine/yara_local/example_rule.yara.
Rules should be listed consecutively, and need to have a meta section with a sev property between 1 and 10.
rule MyFirstRule
{
meta:
sev = 7
strings:
$string1 = "malware"
$string2 = "bad_app"
$string3 = "malicious"
condition:
any of them
}
rule MySecondRule
{
meta:
sev = 3
strings:
$string1 = "rm -rf /"
$string2 = "malicious"
$string3 = { 48 45 4C 4C 4F 0A }
condition:
all of them
}
See Writing YARA Rules for more information.
You can use your own file instead of the example file.
If your file is located in the same directory as yara_engine.py, append __file__ to the name of your file in the engine section of your configuration file.
engine:
name: Yara
feed_id: Seql2oSTkO8rZrTbBkxnQ
type: local
_provider: cbc_binary_toolkit_examples.engine.yara_local.yara_engine.YaraFactory
rules_file: __file__/my_new_rule_file.yara
Otherwise, if your rules file is not located in the same directory as yara_engine.py, put the full path name to the file in your configuration file.
engine:
name: Yara
feed_id: Seql2oSTkO8rZrTbBkxnQ
type: local
_provider: cbc_binary_toolkit_examples.engine.yara_local.yara_engine.YaraFactory
rules_file: /Users/Developer/rules_file.yara
Copyright © 2020 VMware Inc., All Rights Reserved.
Information here is current as of Carbon Black Cloud Binary Toolkit 1.0.0