YARA Rules Integration Guide

• Overview
• Adding YARA Rules to Profiles
• Recommended YARA Rule Sources
  • 1. Elastic Endpoint Security YARA Rules
  • 2. YARA-Rules Project
  • 3. Signature-Base by Florian Roth
  • 4. Awesome YARA
• Example: Enhanced Malware Profile with YARA
• Creating Custom YARA Rules
• YARA Rule Best Practices
• YARA Match Output
• Example Workflow
  • 1. Set Up YARA Rules
  • 2. Create Enhanced Profile
  • 3. Run Analysis
  • 4. Review Results
• Performance Considerations
• Troubleshooting
  • YARA Compilation Errors
  • No Matches Found
  • Performance Issues
• Future Enhancements
• Additional Resources
• License Considerations
• Contributing YARA Rules

This document describes how to integrate YARA rules with sus profiles for enhanced malware detection.

Overview

sus supports YARA-X rules through the yara-x-rules configuration in profiles. YARA rules provide powerful pattern matching capabilities specifically designed for malware detection and classification.

Adding YARA Rules to Profiles

YARA rules can be added to any profile using the yara-x-rules directive:

# In your profile TOML file
yara-x-rules = ["path/to/yara/rules/directory"]

# Can specify multiple directories
yara-x-rules = [
  "yara-rules/malware",
  "yara-rules/exploits",
  "yara-rules/custom"
]

sus will recursively scan the specified directories for files with .yar or .yara extensions and compile them.

Recommended YARA Rule Sources

1. Elastic Endpoint Security YARA Rules

Elastic maintains a comprehensive set of YARA rules for endpoint protection:

Repository: https://github.com/elastic/protections-artifacts

Usage:

# Clone the repository
git clone https://github.com/elastic/protections-artifacts.git yara-rules/elastic

# Add to your profile
yara-x-rules = ["yara-rules/elastic/yara/rules"]

Coverage:

• Windows malware and exploits
• Linux malware and rootkits
• macOS malware
• Cross-platform threats
• Memory-based detection

2. YARA-Rules Project

Community-maintained collection of YARA rules:

Repository: https://github.com/Yara-Rules/rules

Usage:

git clone https://github.com/Yara-Rules/rules.git yara-rules/community

Coverage:

• APT (Advanced Persistent Threat) groups
• Malware families
• Exploit kits
• Packers and obfuscators
• Webshells

3. Signature-Base by Florian Roth

High-quality YARA rules by renowned security researcher:

Repository: https://github.com/Neo23x0/signature-base

Usage:

git clone https://github.com/Neo23x0/signature-base.git yara-rules/signature-base

Coverage:

• Malware signatures
• Exploit signatures
• Webshells
• Hacktool signatures

4. Awesome YARA

Curated list of YARA rules and resources:

Repository: https://github.com/InQuest/awesome-yara

Provides links to many other YARA rule repositories organized by category.

Example: Enhanced Malware Profile with YARA

Create a malware detection profile that combines pattern matching with YARA rules:

# profiles/base/malware-yara.toml

# Include base malware patterns
includes = ["malware.toml"]

# Add YARA rules from multiple sources
yara-x-rules = [
  "yara-rules/elastic/yara/rules",
  "yara-rules/signature-base/yara",
  "yara-rules/custom"
]

# Additional decode options for obfuscated malware
decode = ["base64", "hex", "unicode-escape-sequences"]

Creating Custom YARA Rules

You can create your own YARA rules and add them to the yara-rules/custom directory:

// yara-rules/custom/custom_backdoor.yara

rule CustomBackdoor {
    meta:
        description = "Detects custom backdoor pattern"
        author = "Security Team"
        date = "2024-01-01"
        
    strings:
        // Specific function name used in custom backdoor
        $connection = "establish_c2_connection_handler" ascii wide
        // Unique encryption routine byte pattern
        $encryption = { 48 89 5C 24 08 48 89 6C 24 10 }
        // Unique marker specific to this backdoor variant
        $marker = "CUSTOM_MARKER_2024_BUILD_4721" ascii
        
    condition:
        // Require at least 2 unique indicators for higher confidence
        2 of them
}

rule SuspiciousNetworkActivity {
    meta:
        description = "Detects suspicious network patterns"
        
    strings:
        $reverse_shell1 = "/bin/bash -i >& /dev/tcp/" ascii
        $reverse_shell2 = "nc -e /bin/sh" ascii
        $beacon = /POST \/[a-f0-9]{32}/ ascii
        
    condition:
        any of them
}

YARA Rule Best Practices

1. Organization: Organize rules by threat type (malware families, exploits, etc.)
2. Metadata: Always include descriptive metadata (author, date, description)
3. Performance: Optimize rules to avoid excessive CPU usage
4. Testing: Test rules against known samples before deployment
5. Updates: Regularly update rules from upstream sources
6. False Positives: Review and tune rules to minimize false positives

YARA Match Output

When YARA rules match, sus stores them in the database's pattern_matches table. Each match includes:

• pattern_name: The YARA rule name and namespace (e.g., "elastic:windows:Backdoor:$string1")
• match_type: Set to "yara" for YARA matches
• match: The matched data (with XOR decoding if applicable)
• location: File offset where the match occurred
• sha256: Hash of the file containing the match

Query YARA matches:

-- All YARA matches
SELECT * FROM pattern_matches WHERE match_type = 'yara';

-- YARA matches by rule namespace
SELECT * FROM pattern_matches 
WHERE pattern_name LIKE 'elastic:%'
   OR pattern_name LIKE 'windows:%'
   OR pattern_name LIKE 'linux:%';

-- Count matches per rule
SELECT pattern_name, COUNT(*) as match_count 
FROM pattern_matches 
WHERE match_type = 'yara' 
GROUP BY pattern_name 
ORDER BY match_count DESC;

Example Workflow

1. Set Up YARA Rules

mkdir -p yara-rules
cd yara-rules

# Download Elastic rules
git clone https://github.com/elastic/protections-artifacts.git elastic

# Download Signature-Base
git clone https://github.com/Neo23x0/signature-base.git signature-base

# Create custom rules directory
mkdir -p custom

2. Create Enhanced Profile

# profiles/composite/malware-detection-pro.toml

includes = [
  "../base/malware.toml",
  "../base/network.toml"
]

yara-x-rules = [
  "yara-rules/elastic/yara/rules",
  "yara-rules/signature-base/yara"
]

decode = ["base64", "hex", "unicode-escape-sequences"]

[[signatures]]
  name = "YARA Malware Detections"
  query = "SELECT DISTINCT sha256 FROM pattern_matches WHERE match_type = 'yara'"

[[signatures]]
  name = "High Confidence Threats"
  query = "SELECT sha256, COUNT(*) as rule_count FROM pattern_matches WHERE match_type = 'yara' GROUP BY sha256 HAVING rule_count >= 3"

3. Run Analysis

sus /suspicious/files \
  --profile profiles/composite/malware-detection-pro.toml \
  --output-dir ./malware-analysis

4. Review Results

# View YARA matches in web interface
sus --server-only --output-dir ./malware-analysis

# Or query database directly
sqlite3 ./malware-analysis/analysis.db \
  "SELECT pattern_name, COUNT(*) FROM pattern_matches 
   WHERE match_type = 'yara' 
   GROUP BY pattern_name 
   ORDER BY COUNT(*) DESC"

Performance Considerations

• Rule Count: Large YARA rulesets can slow down analysis. Start with focused rulesets.
• Complex Rules: Rules with many strings or complex conditions take longer to evaluate.
• File Size: Large files take longer to scan. Use max-file-size to limit.
• Parallelization: sus processes files in parallel to maximize throughput.

Troubleshooting

YARA Compilation Errors

If YARA rules fail to compile:

# Check sus logs for compilation errors during profile loading
sus /path --profile profile.toml 2>&1 | grep -i "error\|yara"

# Note: YARA-X uses different syntax than traditional YARA
# Verify rules are compatible with YARA-X: https://github.com/VirusTotal/yara-x

No Matches Found

If YARA rules aren't matching expected files:

1. Verify rule syntax with test samples
2. Check file encoding (try different decode options)
3. Review rule conditions (some require multiple patterns)
4. Ensure files are within size limits

Performance Issues

If analysis is too slow:

1. Reduce number of YARA rules
2. Profile which rules are slow (using YARA profiling tools)
3. Decrease max-file-size threshold to skip large files
4. Use more focused rulesets for specific threat types

Future Enhancements

Planned improvements to YARA integration:

• Rule performance profiling
• Selective rule loading by category
• YARA rule update automation
• Custom rule validation
• Rule hit statistics and reporting

Additional Resources

• YARA-X Documentation
• YARA Documentation
• Writing YARA Rules
• YARA Best Practices
• Elastic Detection Rules

License Considerations

When using third-party YARA rules:

• Review the license of each rule repository
• Ensure compliance with Apache-2.0 if distributing
• Attribute rule authors appropriately
• Keep upstream repositories updated

Contributing YARA Rules

To contribute YARA rules to the sus project:

1. Create rules in yara-rules/custom/
2. Test rules against known samples
3. Document rule purpose and detection logic
4. Submit pull request with rule files and documentation
5. Include test samples (or hashes) for validation