yara

Plugin

ArgDescriptionType
rulesYara rules in the yara DSL.string (required)
filesThe list of files to scan.list of Any (required)
accessorAccessor (e.g. ntfs,file)string
contextHow many bytes to include around each hitint
startThe start offset to scanuint64
endEnd scanning at this offset (100mb)uint64
numberStop after this many hits (1).int64
blocksizeBlocksize for scanning (1mb).uint64
keyIf set use this key to cache the yara rules.string

Description

Scan files using yara rules.

The yara() plugin applies a signature consisting of multiple rules across files. You can read more about yara rules. The accessor is used to open the various files which allows this plugin to work across raw ntfs, zip members or indeed process memory.

Scanning proceeds by reading a block from the file, then applying the yara rule on the block. This will fail if the signature is split across block boundary. You can choose the block size to be appropriate.

If the accessor is not specified we use the yara library to directly open the file itself without Velociraptor’s accessor API. This allows Yara to mmap the file which has a number of benefits including:

  1. The ability to scan without reading in blocks - so a signature matching the file header as well as a string deep within the file works.

  2. Various Yara extensions like the pe extension work allowing rules that use such extensions to work properly.

If we are not able to open the file (for example due to sharing violations), Velociraptor will automatically fall back to the ntfs accessor (on Windows) and will automatically switch to block by block scanning.

Typically the yara rule does not change for the life of the query, so Velociraptor caches it to avoid having to recompile it each time. The key variable can be used to uniquely identify the cache key for the rule. If the key variable is not specified, we use the rule text itself to generate the cache key. It is recommended that the key parameter be specified because it makes it more efficient since we do not need to hash the rules each time.

Shorthand rules

This plugin accepts yara rules in the rules parameter. But typically we only search for keywords so writing a full yara syntax rule is tedious. Therefore we provide a shorthand way to specify the keywords. For example:

wide nocase:foo,bar,baz

When the rule is provided in the above form, the plugin will automatically generate a yara rule which matches any of the specified keywords. The specification before the : means the same thing as the yara DSL and the following combinations are supported wide, wide ascii, wide nocase, wide nocase ascii.

By default only the first 100mb of the file are scanned and scanning stops after one hit is found.

comments powered by Disqus