Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/bartblaze/Yara-rules
Collection of private Yara rules.
https://github.com/bartblaze/Yara-rules
malware-detection ransomware-detection threat-hunting threat-intelligence yara yara-rules yara-signatures
Last synced: 30 days ago
JSON representation
Collection of private Yara rules.
- Host: GitHub
- URL: https://github.com/bartblaze/Yara-rules
- Owner: bartblaze
- License: mit
- Created: 2020-03-26T20:20:29.000Z (over 4 years ago)
- Default Branch: master
- Last Pushed: 2024-08-14T11:29:11.000Z (4 months ago)
- Last Synced: 2024-08-14T17:31:43.748Z (4 months ago)
- Topics: malware-detection, ransomware-detection, threat-hunting, threat-intelligence, yara, yara-rules, yara-signatures
- Language: YARA
- Homepage:
- Size: 220 KB
- Stars: 314
- Watchers: 22
- Forks: 52
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
- awesome-yara - bartblaze YARA rules
README
# About
## What is this?
A repo containing some of my privately developed Yara rules.## Why?
To contribute to the community.## Can I use these rules?
Of course! That's why I created this repo.You can use them in your detection systems. For example, [CAPE sandbox](https://github.com/kevoreilly/CAPEv2), [MalwareBazaar](https://bazaar.abuse.ch/), [UnPac.me](https://www.unpac.me/) and [VirusTotal](https://www.virustotal.com/) (must be logged in, signup is free) and others are using these rules. Furthermore, the rules can work natively with [AssemblyLine](https://www.cyber.gc.ca/en/tools-services/assemblyline) due to the CCCS Yara rule standard adoption.
All rules are TLP:White, so you can use and distribute them freely. Please retain the meta.
## Help! A generic rule is hitting my software!
If one of the rules in the [generic](https://github.com/bartblaze/Yara-rules/tree/master/rules/generic) rules section hits on your software: this is not a false positive. It is simply an objective fact that, for example, your software has been compiled or wrapped using AutoIT. It equally does **not** mean your software is malicious.The Yara rules presented here do **not** influence antivirus detection results in any manner. If your software is detected by an antivirus or antimalware company, **you need to contact them directly**.
Note the `meta` section also mentions `category = "INFO"`, in which case it is a purely generic or informational rule.
## Actions
There's two workflows running on this Github repository:* [YARA-CI](https://yara-ci.cloud.virustotal.com/): runs automatically to detect signature errors, as well as false positives and false negatives.
* [Package Yara rules](https://github.com/bartblaze/Yara-rules/blob/master/.github/workflows/yara.yml): allows download of a complete rules file (all Yara rules from this repo in one file) for convenience from the Actions tab > Choose the last workflow run > Artifacts. Scroll down and you will be able to download, but you must be logged in to Github:![image](https://github.com/user-attachments/assets/904aa2af-8b91-4c01-97b4-db24f9659005)
[![Package Yara Rules](https://github.com/bartblaze/Yara-rules/actions/workflows/yara.yml/badge.svg)](https://github.com/bartblaze/Yara-rules/actions/workflows/yara.yml)
## Minimum Yara version needed?
**v3.3.0** is minimally needed, as some rules may require a specific module. Note that it's recommended to always use the latest Yara version as found [here](https://github.com/VirusTotal/yara/releases). Yara 4.5.1, likely the last release to be available, works without issue.## Do the rules work with Yara-X?
[Yara-X](https://github.com/VirusTotal/yara-x), a rewrite of Yara in Rust, should have no difficulty running the rules in this repo. At time of writing, Yara-X v0.6.0 works fine with the rules presented here.## Feedback?
If you spot an issue or improvement with one of the rules, feel free to submit a PR or open an Issue.# Extra
## What is Yara?
From the official Github repo, https://github.com/VirusTotal/yara:
> YARA is a tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples.More information: https://yara.readthedocs.io/en/stable/index.html
## What is TLP?
> The Traffic Light Protocol (TLP) was created in order to facilitate greater sharing of information.The rules in this repo are TLP:White (or TLP:Clear).
> Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.More information: https://www.us-cert.gov/tlp
## Where can I find other open-source Yara rules?
InQuest has made a Github repo which contains a curated list of Yara rules: https://github.com/InQuest/awesome-yara.