Example: yara-rules

Inputs
Profile
Report outputs
- Triage report (converted from triage_report.json)
- CSV outputs

Inputs

examples/inputs/yara-rules-samples/suspicious_script.sh

Profile

# YARA Rules Example Profile
# Demonstrates YARA-X rule integration for malware detection

decode = ["base64"]

max-file-size = 52428800  # 50 MiB

tag = "yara-rules"

# Point to YARA rules directory
yara-x-rules = ["examples/inputs/yara-rules"]

# Additional string patterns to complement YARA
[[patterns]]
  name = "Suspicious String - cmd.exe"
  pattern = "cmd.exe"
  type = "string"
  case-insensitive = true

[[patterns]]
  name = "Suspicious String - powershell.exe"
  pattern = "powershell.exe"
  type = "string"
  case-insensitive = true

Report outputs

Triage report (converted from triage_report.json)

total_files	1
critical_count	0
high_count	0
medium_count	1
low_count	0
minimal_count	0
must_investigate_count	0
all_scores	None
generated_at	2025-12-03T09:19:44.085498440+00:00

top_scores

characteristics_score	file_type	file_type_score	must_investigate	path	pattern_count_score	pattern_matches	pattern_severity_score	reasons	risk_level	score	sha256
0	Script	20	False	/suspicious_script.sh	20	33	17	["33 suspicious patterns detected"]	Medium	57	22f34b029656bf34edd14b2066a18e9a8e6b55702bc9584e68ba3f51eba3367a

CSV outputs

errors.csv

Empty CSV

files.csv

path	file_name	sha256	file_created	file_modified	file_accessed	mime_types_from_file_extension	is_symbolic_link	is_extracted_file	is_decoded_file	is_deobfuscated_file	tag
/suspicious_script.sh	suspicious_script.sh	22f34b029656bf34edd14b2066a18e9a8e6b55702bc9584e68ba3f51eba3367a	2025-12-03T08:56:20.497889219Z	2025-12-03T08:56:20.497889219Z	2025-12-03T08:56:20.497889219Z	["text/x-shellscript"]	0	0	0	0

pattern_matches.csv

id	sha256	pattern_name	match_type	match	location	length
1	22f34b029656bf34edd14b2066a18e9a8e6b55702bc9584e68ba3f51eba3367a	default:Suspicious_Strings:$cmd1	yara-text	cmd.exe	78	7
2	22f34b029656bf34edd14b2066a18e9a8e6b55702bc9584e68ba3f51eba3367a	default:Suspicious_Strings:$cmd1	yara-text	cmd.exe	553	7
3	22f34b029656bf34edd14b2066a18e9a8e6b55702bc9584e68ba3f51eba3367a	default:Suspicious_Strings:$cmd2	yara-text	powershell	96	10
4	22f34b029656bf34edd14b2066a18e9a8e6b55702bc9584e68ba3f51eba3367a	default:Suspicious_Strings:$cmd2	yara-text	powershell	527	10
5	22f34b029656bf34edd14b2066a18e9a8e6b55702bc9584e68ba3f51eba3367a	default:Suspicious_Strings:$cmd3	yara-text	/bin/bash	2	9
6	22f34b029656bf34edd14b2066a18e9a8e6b55702bc9584e68ba3f51eba3367a	default:Suspicious_Strings:$cmd3	yara-text	/bin/bash	154	9
7	22f34b029656bf34edd14b2066a18e9a8e6b55702bc9584e68ba3f51eba3367a	default:Suspicious_Strings:$cmd3	yara-text	/bin/bash	578	9
8	22f34b029656bf34edd14b2066a18e9a8e6b55702bc9584e68ba3f51eba3367a	default:Suspicious_Strings:$cmd4	yara-text	/bin/sh	172	7
9	22f34b029656bf34edd14b2066a18e9a8e6b55702bc9584e68ba3f51eba3367a	default:Suspicious_Strings:$net1	yara-text	wget	214	5
10	22f34b029656bf34edd14b2066a18e9a8e6b55702bc9584e68ba3f51eba3367a	default:Suspicious_Strings:$net2	yara-text	curl	246	5
11	22f34b029656bf34edd14b2066a18e9a8e6b55702bc9584e68ba3f51eba3367a	default:Suspicious_Strings:$net3	yara-text	Invoke-WebRequest	281	17
12	22f34b029656bf34edd14b2066a18e9a8e6b55702bc9584e68ba3f51eba3367a	default:Suspicious_Strings:$exec1	yara-text	Runtime.getRuntime().exec	366	25
13	22f34b029656bf34edd14b2066a18e9a8e6b55702bc9584e68ba3f51eba3367a	default:Suspicious_Strings:$exec2	yara-text	os.system(	400	10
14	22f34b029656bf34edd14b2066a18e9a8e6b55702bc9584e68ba3f51eba3367a	default:Suspicious_Strings:$exec3	yara-text	subprocess.call	420	15
15	22f34b029656bf34edd14b2066a18e9a8e6b55702bc9584e68ba3f51eba3367a	default:Base64_Encoded_Commands:$b64_powershell	yara-text	cG93ZXJzaGVsbA	511	14
16	22f34b029656bf34edd14b2066a18e9a8e6b55702bc9584e68ba3f51eba3367a	default:Base64_Encoded_Commands:$b64_powershell	yara-text	cG93ZXJzaGVsbA	595	14
17	22f34b029656bf34edd14b2066a18e9a8e6b55702bc9584e68ba3f51eba3367a	default:Base64_Encoded_Commands:$b64_cmd	yara-text	Y21kLmV4ZQ	541	10
18	22f34b029656bf34edd14b2066a18e9a8e6b55702bc9584e68ba3f51eba3367a	default:Base64_Encoded_Commands:$b64_cmd	yara-text	Y21kLmV4ZQ	619	10
19	22f34b029656bf34edd14b2066a18e9a8e6b55702bc9584e68ba3f51eba3367a	default:Base64_Encoded_Commands:$b64_bash	yara-text	L2Jpbi9iYXNo	564	12
20	22f34b029656bf34edd14b2066a18e9a8e6b55702bc9584e68ba3f51eba3367a	default:Base64_Encoded_Commands:$b64_bash	yara-text	L2Jpbi9iYXNo	639	12
21	22f34b029656bf34edd14b2066a18e9a8e6b55702bc9584e68ba3f51eba3367a	default:Webshell_Indicators:$php1	yara-text	eval($_	674	7
22	22f34b029656bf34edd14b2066a18e9a8e6b55702bc9584e68ba3f51eba3367a	default:Webshell_Indicators:$php3	yara-text	system($_	694	9
23	22f34b029656bf34edd14b2066a18e9a8e6b55702bc9584e68ba3f51eba3367a	default:Webshell_Indicators:$php4	yara-text	shell_exec($_	715	13
24	22f34b029656bf34edd14b2066a18e9a8e6b55702bc9584e68ba3f51eba3367a	default:Webshell_Indicators:$jsp1	yara-text	Runtime.getRuntime()	366	20
25	22f34b029656bf34edd14b2066a18e9a8e6b55702bc9584e68ba3f51eba3367a	default:Webshell_Indicators:$jsp1	yara-text	Runtime.getRuntime()	745	20
26	22f34b029656bf34edd14b2066a18e9a8e6b55702bc9584e68ba3f51eba3367a	default:Webshell_Indicators:$jsp2	yara-text	getParameter	767	12
27	22f34b029656bf34edd14b2066a18e9a8e6b55702bc9584e68ba3f51eba3367a	default:Crypto_Indicators:$btc	yara-regex	1BvBMSEYstWetqTFn5Au4m4GFg7xJaNVN2	871	34
28	22f34b029656bf34edd14b2066a18e9a8e6b55702bc9584e68ba3f51eba3367a	default:Crypto_Indicators:$ransom1	yara-text	Your files have been encrypted	918	30
29	22f34b029656bf34edd14b2066a18e9a8e6b55702bc9584e68ba3f51eba3367a	default:Crypto_Indicators:$ransom2	yara-text	bitcoin	829	7
30	22f34b029656bf34edd14b2066a18e9a8e6b55702bc9584e68ba3f51eba3367a	default:Crypto_Indicators:$ransom2	yara-text	bitcoin	955	7
31	22f34b029656bf34edd14b2066a18e9a8e6b55702bc9584e68ba3f51eba3367a	default:Crypto_Indicators:$ransom3	yara-text	.onion	1002	6
32	22f34b029656bf34edd14b2066a18e9a8e6b55702bc9584e68ba3f51eba3367a	Suspicious String - cmd.exe	string	cmd.exe	4:1	7
33	22f34b029656bf34edd14b2066a18e9a8e6b55702bc9584e68ba3f51eba3367a	Suspicious String - cmd.exe	string	cmd.exe	22:15	7

signature_matches.csv

Empty CSV

unique_files.csv

sha256	sha1	md5	file_size	mime_type_for_content	shannon_entropy
22f34b029656bf34edd14b2066a18e9a8e6b55702bc9584e68ba3f51eba3367a	fcf773783b2da616fde022c9b80c182e21f4e5e9	5fd08f61a5bece9ef172aa3f6e97c8fd	1018	text/x-shellscript	5.37685282015745

Keyboard shortcuts

sus - Systematic Universal Scanner - Documentation