Once installed, the next step is to create YARA rules; these rules can be generic or very specific, and they can be created using any text editor. To understand the YARA rule syntax, let's take an example of a simple YARA rule that looks for suspicious strings in any file, as follows:
rule suspicious_strings
{
strings:
$a = "Synflooding"
$b = "Portscanner"
$c = "Keylogger"
condition:
($a or $b or $c)
}
The YARA rule consists of the following components:
- Rule identifier: This is a name that describes the rule (suspicious_strings in the preceding example). The rule identifiers can contain any alphanumeric character and the underscore character, but the first character cannot be a digit. The rule identifiers are case-sensitive and cannot exceed 128 characters.
- String Definition: This is the section where the strings (text, hexadecimal, or regular expressions) that will be part of the rule are defined. This section can be omitted if the rule does not rely on any strings. Each string has an identifier consisting of a $ character followed by a sequence of alphanumeric characters and underscores. From the preceding rule, think of $a, $b, and $c as variables containing values. These variables are then used in the condition section.
- Condition Section: This is not an optional section, and this is where the logic of the rule resides. This section must contain a Boolean expression that specifies the condition under which the rule will match or not match.