Reversinglabs Yara Rules
| Project Name | Stars | Downloads | Repos Using This | Packages Using This | Most Recent Commit | Total Releases | Latest Release | Open Issues | License | Language |
|---|---|---|---|---|---|---|---|---|---|---|
| Yara | 7,060 | a day ago | 1 | February 27, 2018 | 178 | bsd-3-clause | C | |||
| The pattern matching swiss knife | ||||||||||
| Fibratus | 1,976 | 3 days ago | 26 | March 31, 2023 | 22 | other | Go | |||
| A modern tool for Windows kernel exploration and tracing with a focus on security | ||||||||||
| Binaryalert | 1,301 | 10 months ago | 44 | apache-2.0 | Python | |||||
| BinaryAlert: Serverless, Real-time & Retroactive Malware Detection. | ||||||||||
| Strelka | 740 | 4 days ago | 11 | other | Python | |||||
| Real-time, container-based file scanning at enterprise scale | ||||||||||
| Reversinglabs Yara Rules | 620 | 17 days ago | 2 | mit | YARA | |||||
| ReversingLabs YARA Rules | ||||||||||
| Habomalhunter | 567 | 4 years ago | 6 | other | Python | |||||
| HaboMalHunter is a sub-project of Habo Malware Analysis System (https://habo.qq.com), which can be used for automated malware analysis and security assessment on the Linux system. | ||||||||||
| Kicomav | 274 | a year ago | 2 | gpl-2.0 | Python | |||||
| KicomAV is an open source (GPL v2) antivirus engine designed for detecting malware and disinfecting it. | ||||||||||
| Lisa | 233 | 2 years ago | 11 | apache-2.0 | Python | |||||
| Sandbox for automated Linux malware analysis. | ||||||||||
| Sec_check | 228 | 5 years ago | May 31, 2021 | 2 | Go | |||||
| Cross platform security detection tool | ||||||||||
| Halogen | 186 | a year ago | mit | Python | ||||||
| Automatically create YARA rules from malicious documents. | ||||||||||
ReversingLabs YARA Rules
Welcome to the official ReversingLabs YARA rules repository! The repository will be updated continuously, as we develop rules for new threats, and after their quality has been proven through testing in our cloud and other environments.
These rules have been written by our threat analysts, for threat hunters, incident responders, security analysts, and other defenders that could benefit from deploying high-quality threat detection YARA rules in their environment.
Our detection rules, as opposed to hunting rules, need to satisfy certain criteria to be eligible for deployment, namely:
- be as precise as possible, without losing detection quality
- aim to provide zero false-positive detections
In order for the rules to be easy to understand and maintain, we adopted the following set of goals:
- clearly named byte patterns
- readable and transparent conditions
- match unique malware functionality
- prefer code byte patterns over strings
To ensure the quality of our rules, we continuously and extensively test them in our cloud, on over 10B (and rising) unique binaries. Rules are evaluated on every layer to detect threats within layered objects, such as packed PE files, documents, and archives, among other things.
Prerequisites
To successfully run the entire YARA rule set, you must have:
- YARA version >= 3.2.0
- PE and ELF modules enabled
(or any other security solution compliant with the requirements).
Deployment
To start using our rules, just clone this repository, and start experimenting on your data sets. YARA rules found in this repository can be used in various environments, and the simplest setup is to use them through the standalone YARA executable, which can be found in the official YARA repository. The rules can also be deployed in a large number of modern security solutions that offer YARA integration, such as YARA-enabled sandboxes, and other file analysis frameworks. However, to get the best results, it is advisable to use the rules through ReversingLabs Titanium Platform which offers native integration of these rules into its classification pipeline.
License
This project is licensed under the MIT License - see the LICENSE file for details.
Acknowledgements
Thanks go to all the people who actively participate in the development of the YARA engine - without you, these rules would not be possible. Also, wed like to thank everyone who participates in the YARA community, because you evolve the way YARA is used, improve how rules should be written, and are what makes our work worthwhile.
