YaraRules now on GitHub

If you’re interested in sharing your Yara rules with us and the Security Community, you can join our Telegram Group, send a message to our Twitter account @YaraRules, or submit a pull request on our Github Repository.

We have divided our ruleset in five categories, each one of them represented by a file: AntiDebug, Crypto, Malicious Document, Packer and Malware. Also, the malware category is split in a per malware family basis.

Also, we want all the new rules to follow some guidelines. First of all, submitting rules with this template will make it easier for us to organize and sort all the rules you send:

rule rule_name : tag1 tag2 tag3
{
    meta:
        author      = "author's name and (if possible) link to profile"
        date        = "yyyy/mm/dd"
        description = "What does the rule do"
        reference/source = "Link to the blog, paper, ..."
        sample      = "file hashes"
   strings:
        XXXX
   condition:
        XXXX
}

To continue, we would like to establish a set of prefixes on the rule name to make them easily identifiable. A rule name should contain the following parts:

The category name abbreviated in 2 letters: MW (Malware), AD (AntiDebug), CR (Crypto), MD (Malicious Document) or PA (Packer) for each one of the defined categories. A subcategory or MW family name. A unique name that fully identifies the rule. <Category (2 letters)><Subcategory/Family>

Besides this, adding tags to the rule can make it easier for other people to identify and keep track of rules.

For a better management of the GitHub Pull Requests it would be great if you created different PR to add, modify or delete rules, instead of mixing additions, updates or deletions in a single PR. Also, giving reasons on why you want to modify or delete some rules will definitely help us introducing the changes to the ruleset.

If you send us a new malware family, please send it on a new file so we can attach to the structure we mentioned before.

Finally, we suggest you to have in mind this series of guidelines when creating your signature for getting the most out of them.

Our Yara ruleset is under the GNU-GPLv2 license. It’s open to any user or organization, as long as you use it under this license.

The YaraRules team.