{"id":13705901,"url":"https://github.com/CybercentreCanada/CCCS-Yara","last_synced_at":"2025-05-05T17:30:52.446Z","repository":{"id":46805763,"uuid":"228680159","full_name":"CybercentreCanada/CCCS-Yara","owner":"CybercentreCanada","description":"YARA rule metadata specification and validation utility / Spécification et validation pour les règles YARA","archived":false,"fork":false,"pushed_at":"2025-03-27T13:54:40.000Z","size":259,"stargazers_count":104,"open_issues_count":2,"forks_count":21,"subscribers_count":7,"default_branch":"master","last_synced_at":"2025-05-05T14:09:37.548Z","etag":null,"topics":["assemblyline","yara","yara-format"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/CybercentreCanada.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-12-17T18:43:47.000Z","updated_at":"2025-04-17T09:20:18.000Z","dependencies_parsed_at":"2024-02-08T20:40:53.796Z","dependency_job_id":"b396f4a8-eaf7-419f-9ce1-117b693bd5de","html_url":"https://github.com/CybercentreCanada/CCCS-Yara","commit_stats":null,"previous_names":[],"tags_count":13,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CybercentreCanada%2FCCCS-Yara","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CybercentreCanada%2FCCCS-Yara/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CybercentreCanada%2FCCCS-Yara/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CybercentreCanada%2FCCCS-Yara/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/CybercentreCanada","download_url":"https://codeload.github.com/CybercentreCanada/CCCS-Yara/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":252542252,"owners_count":21764934,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["assemblyline","yara","yara-format"],"created_at":"2024-08-02T22:00:49.465Z","updated_at":"2025-05-05T17:30:52.409Z","avatar_url":"https://github.com/CybercentreCanada.png","language":"Python","funding_links":[],"categories":["Tools","Python"],"sub_categories":[],"readme":"# Canadian Centre for Cyber Security\n\n## CCCS YARA Specification\n\nThe [CCCS YARA Specification](https://github.com/CybercentreCanada/CCCS-Yara/blob/master/CCCS_YARA.yml) has been created to define and validate the style and format of YARA rule metadata. It comes with a cli which allow you to validate and generate metadata automatically (such as unique id, rule fingerprint, actor enrichment from ATT\u0026CK).\n\nOver the years we have seen many YARA rules; in order to leverage them to their full potential we always had to modify some of their associated metadata, even for rules we developed ourselves. Adjusting simple elements such as datetime format and adding important information to help analysts.\n\nYou can leverage it in your CI/CD pipeplines to automatically verify and enrich your Yara rules before new rules are merged in!\n\nThis specification also include fields specific to the [MITRE ATT\u0026CK framework](https://attack.mitre.org/matrices/enterprise/) to identify techniques and universal [MITRE ATT\u0026CK threat groups](https://attack.mitre.org/groups/).\n\n[AssemblyLine](https://www.cyber.gc.ca/en/assemblyline) supports this specification natively and will leverage it to provide more context around YARA signature hits.\n\n[vscode-yara](https://github.com/infosec-intern/vscode-yara) creates a custom meta section that aligns with this specification, using the User or Workspace settings file, `settings.json`. See [settings.json](settings.json) for an example.\n\n## Sample rule\n\n```\nrule MemoryModule {\n    meta:\n\tid = \"6O9mUMvPhziJ72IXHf6muZ\"\n\tfingerprint = \"4aa0a23f28698898404d700cb363ddf06dd275f5798815e797113656a2a40ae8\"\n\tversion = \"1.0\"\n\tdate = \"2020-05-06\"\n\tmodified = \"2020-05-06\"\n\tstatus = \"RELEASED\"\n\tsharing = \"TLP:WHITE\"\n\tsource = \"CCCS\"\n\tauthor = \"analyst@CCCS\"\n\tdescription = \"Yara rule to detect usage of MemoryModule Library\"\n\tcategory = \"TECHNIQUE\"\n\ttechnique = \"LOADER:MEMORYMODULE\"\n\tmitre_att = \"T1129\"\n\treport = \"TA20-0192\"\n\thash = \"812bbe8b9acabad05b08add50ee55c883e1f7998f3a7cae273d3f0d572a79adc\"\n\n    strings:\n        $func_ptr =    {55 8B EC 6A 00 68 [3] 00 68 [3] 00 68 [3] 00 68 [3] 00 68 [3] 00}\n        $func_ptr_64 = {48 [3] 48 [4] 00 00 00 00 48 8? [5] 48 8? [3] 4? 8? [5] 48 8? [3-5] 48 8?}\n        $api_1 = \"LoadLibraryA\"\n        $api_2 = \"GetProcAddress\"\n        $api_3 = \"FreeLibrary\"\n        $api_4 = \"VirtualFree\"\n        $api_5 = \"VirtualProtect\"\n        $api_6 = \"VirtualAlloc\"\n\n    condition:\n        uint16(0) == 0x5a4d and all of ($api*) and ($func_ptr or $func_ptr_64)\n}\n```\n\n## YARA repositories using this standard - thanks!\n\n- https://github.com/reversinglabs/reversinglabs-yara-rules\n- https://github.com/bartblaze/Yara-rules\n- https://github.com/0xThiebaut/Signatures\n\n## Components\n\nvalidator.py: This is the validator library. It is used to validate the metadata section of YARA rules. It verifies specified metadata information, auto-generates some of metadata information and re-sorts the metadata information into the canonical order with all 'unknown' metadata information appended to the bottom.\n\n- [CCCS_YARA.yml](https://github.com/CybercentreCanada/CCCS-Yara/blob/master/CCCS_YARA.yml): This is the definition of the CCCS YARA Standard in the YAML format. (Limitation: This file is provided to show what fields are expected, currently the yara_validator doeSn't use this file directly, this will be addressed in a future release.)\n\n- [CCCS_YARA_values.yml](https://github.com/CybercentreCanada/CCCS-Yara/blob/master/CCCS_YARA_values.yml): File which describe the list of acceptable values for fields defined in the CCCS_YARA.yml\n\nyara_validator: This is a command line interface utility. It takes a file, list of files, a folder looking for files with the .yar or .yara extension.\n\n## Requirements\n\nPython 3.6+\n\nAll required python packages are in the requirements.txt\n\nThe [Cyber Threat Intelligence Repository](https://github.com/mitre/cti) is a submodule of this repository:\n\n```\ngit clone https://github.com/CybercentreCanada/CCCS-Yara.git\ncd CCCS-Yara\npip install  .\n```\n\n## yara_validator usage\n\n```\nyara_validator -h\n     ____ ____ ____ ____   __   __ _    ____      _\n    / ___/ ___/ ___/ ___|  \\ \\ / // \\  |  _ \\    / \\\n   | |  | |  | |   \\___ \\   \\ V // _ \\ | |_) |  / _ \\\n   | |__| |__| |___ ___) |   | |/ ___ \\|  _ \u003c  / ___ \\\n    \\____\\____\\____|____/    |_/_/   \\_\\_| \\_\\/_/   \\_\\\n\nusage: yara_validator [-h] [-r] [-n] [-v] [-vv] [-f] [-w] [-s] [-st]\n                             [-m] [-i | -c]\n                             paths [paths ...]\n\nCCCS YARA script to run the CCCS YARA validator, use the -i or -c flags to\ngenerate the id, fingerprint, version, or modified (if\nnot already present) and add them to the file.\n\npositional arguments:\n  paths                A list of files or folders to be analyzed.\n\noptional arguments:\n  -h, --help           show this help message and exit\n  -r, --recursive      Recursively search folders provided.\n  -n, --no-changes     Makes no changes and outputs potential results to the\n                       output.\n  -v, --verbose        Verbose mode, will print why a rule was invalid.\n  -vv, --very-verbose  Very-verbose mode, will printout what rule is about to\n                       be processed, the invalid rules, the reasons they are\n                       invalid and all contents of the rule.\n  -f, --fail           Fail mode, only prints messages about invalid rules.\n  -w, --warnings       This mode will ignore warnings and proceed with other\n                       behaviors if the rule is valid.\n  -s, --standard       This prints the YARA standard to the screen.\n  -st, --strict        This causes the cli to return a non-zero exit code for\n                       warnings.\n  -m, --module         This flag overrides the check for modules that have not\n                       been imported.\n  -i, --in-place       Modifies valid files in place, mutually exclusive with\n                       -c.\n  -c, --create-files   Writes a new file for each valid file, mutually\n                       exclusive with -i.\n```\n\nQuick example:\n\n```\n# Rule will be converted inline\npython yara_validator -v -i \u003cpath\u003e\n```\n\n# Centre canadien pour la cybersécurité\n\n## Spécification YARA du CCCS\n\nLa [Spécification YARA du CCCS](https://github.com/CybercentreCanada/CCCS-Yara/blob/master/CCCS_YARA.yml) a été créé pour définir et validé le style et le format des attributs pour les règles YARA. Un outil ligne de commandes permet de valider et généré les tags automatiquement!\n\nAu fil des années nous avons vu beaucoup de régles YARA; mais pour pouvoir les utilisées à leur plein potentiel nous devions modifiée les méta données associtiées, parfois même pour nos propres règles. En ajustant des éléments aussi simples que le format de date et en ajoutant des attributs important pour les analystes.\n\nCe standard pour les méta données inclus aussi des champs spécifique au [MITRE ATT\u0026CK framework](https://attack.mitre.org/matrices/enterprise/) pour identifier les techniques et les groups d'acteurs [MITRE ATT\u0026CK threat groups](https://attack.mitre.org/groups/).\n\n[AssemblyLine](https://www.cyber.gc.ca/fr/chaine-de-montage-assemblyline) supporte cette spécification nativement et l'utilisera pour fournir d'avantage d'information à l'utilisateur lors du déclanchement d'une signature.\n\n## Exemple\n\n```\nrule MemoryModule {\n    meta:\n\tid = \"6O9mUMvPhziJ72IXHf6muZ\"\n\tfingerprint = \"4aa0a23f28698898404d700cb363ddf06dd275f5798815e797113656a2a40ae8\"\n\tversion = \"1.0\"\n\tdate = \"2020-05-06\"\n\tmodified = \"2020-05-06\"\n\tstatus = \"RELEASED\"\n\tsharing = \"TLP:WHITE\"\n\tsource = \"CCCS\"\n\tauthor = \"analyst@CCCS\"\n\tdescription = \"Yara rule to detect usage of MemoryModule Library\"\n\tcategory = \"TECHNIQUE\"\n\ttechnique = \"LOADER:MEMORYMODULE\"\n\tmitre_att = \"T1129\"\n\treport = \"TA20-0192\"\n\thash = \"812bbe8b9acabad05b08add50ee55c883e1f7998f3a7cae273d3f0d572a79adc\"\n\n    strings:\n        $func_ptr =    {55 8B EC 6A 00 68 [3] 00 68 [3] 00 68 [3] 00 68 [3] 00 68 [3] 00}\n        $func_ptr_64 = {48 [3] 48 [4] 00 00 00 00 48 8? [5] 48 8? [3] 4? 8? [5] 48 8? [3-5] 48 8?}\n        $api_1 = \"LoadLibraryA\"\n        $api_2 = \"GetProcAddress\"\n        $api_3 = \"FreeLibrary\"\n        $api_4 = \"VirtualFree\"\n        $api_5 = \"VirtualProtect\"\n        $api_6 = \"VirtualAlloc\"\n\n    condition:\n        uint16(0) == 0x5a4d and all of ($api*) and ($func_ptr or $func_ptr_64)\n}\n```\n\n## Répertoires de règles YARA qui utilise ce standard - merci!\n\n- https://github.com/reversinglabs/reversinglabs-yara-rules\n- https://github.com/bartblaze/Yara-rules\n\n## Composantes\n\nvalidator.py: La librairie de validation. Elle permet de vérifier si une règle YARA a tous les attributs nécessaires, elle auto-génère aussi certain attribut et les ordonnent selon l'ontologie. Tous les attributs supplémentaires ne faisant pas partie de la spécification sont placé à la fin.\n\n- [CCCS_YARA.yml](https://github.com/CybercentreCanada/CCCS-Yara/blob/master/CCCS_YARA.yml): Fichier de de définition de la spécification. (Limitation: Ce fichier démontre les attributs nécessaires, présentement le validateur n'utilise pas se fichier directement, ceci sera améliorer dans le futur.)\n\n- [CCCS_YARA_values.yml](https://github.com/CybercentreCanada/CCCS-Yara/blob/master/CCCS_YARA_values.yml): Fichier qui décrit les valeurs acceptables pour chacun des attributs définit dans CCCS_YARA.yml.\n\nyara_validator: Utilitaire de validation pour la ligne de commande. Il accepte une règle, une liste de règles ou un dossier pour validé les fichiers se terminant par .yar ou .YARA.\n\n## Exigences\n\nPython 3.6+\n\nTous les libraries python sont dans le fichier requirements.txt\n\n[Cyber Threat Intelligence Repository](https://github.com/mitre/cti) est un sous module de ce répertoire:\n\n```\ngit clone https://github.com/CybercentreCanada/CCCS-Yara.git\ncd CCCS-Yara\npip install  .\n```\n\n## yara_validator en ligne de commandes\n\n```\nyara_validator -h\n     ____ ____ ____ ____   __   __ _    ____      _\n    / ___/ ___/ ___/ ___|  \\ \\ / // \\  |  _ \\    / \\\n   | |  | |  | |   \\___ \\   \\ V // _ \\ | |_) |  / _ \\\n   | |__| |__| |___ ___) |   | |/ ___ \\|  _ \u003c  / ___ \\\n    \\____\\____\\____|____/    |_/_/   \\_\\_| \\_\\/_/   \\_\\\n\nusage: yara_validator [-h] [-r] [-n] [-v] [-vv] [-f] [-w] [-s] [-st]\n                             [-m] [-i | -c]\n                             paths [paths ...]\n\nCCCS YARA script to run the CCCS YARA validator, use the -i or -c flags to\ngenerate the id, fingerprint, version, or modified (if\nnot already present) and add them to the file.\n\npositional arguments:\n  paths                A list of files or folders to be analyzed.\n\noptional arguments:\n  -h, --help           show this help message and exit\n  -r, --recursive      Recursively search folders provided.\n  -n, --no-changes     Makes no changes and outputs potential results to the\n                       output.\n  -v, --verbose        Verbose mode, will print why a rule was invalid.\n  -vv, --very-verbose  Very-verbose mode, will printout what rule is about to\n                       be processed, the invalid rules, the reasons they are\n                       invalid and all contents of the rule.\n  -f, --fail           Fail mode, only prints messages about invalid rules.\n  -w, --warnings       This mode will ignore warnings and proceed with other\n                       behaviors if the rule is valid.\n  -s, --standard       This prints the YARA standard to the screen.\n  -st, --strict        This causes the cli to return a non-zero exit code for\n                       warnings.\n  -m, --module         This flag overrides the check for modules that have not\n                       been imported.\n  -i, --in-place       Modifies valid files in place, mutually exclusive with\n                       -c.\n  -c, --create-files   Writes a new file for each valid file, mutually\n                       exclusive with -i.\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FCybercentreCanada%2FCCCS-Yara","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FCybercentreCanada%2FCCCS-Yara","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FCybercentreCanada%2FCCCS-Yara/lists"}