Steve stvemillertime

## yara_performance_guidelines.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                stvemillertime
                / yara_performance_guidelines.md
            
            
              Created
              February 19, 2023 23:48
                — forked from Neo23x0/yara_performance_guidelines.md
            
              
                YARA Performance Guidelines
              
          
      View yara_performance_guidelines.md
  
      
    This Gist has been transfered into a Github Repo.
You'll find the most recent version here.
YARA Performance Guidelines
When creating your rules for YARA keep in mind the following guidelines in order to get the best performance from them.
This guide is based on ideas and recommendations by Victor M. Alvarez and WXS.

Revision 1.4, October 2020, applies to all YARA versions higher than 3.7


## mstscax_ole.yar
rule terminal_services_scripting {
  meta:
    author = "David Cannings"
    description = "Microsoft Terminal Services Client Control (not safe for scripting)"
    ref = "https://twitter.com/joe4security/status/1221765460502421504?s=20%E2%80%9D"
    generated_by = "yaml2yara, see https://github.com/nccgroup/yaml2yara/"

  strings:
    // Parsers will open files without the full 'rtf'
    $header_rtf = "{\\rt" nocase

## yara_example_1.yar
import "math"

rule example {
  meta:
    author = "David Cannings"
    description = "Rule example - finding a chunk of code near other known code"

  strings:
    $chunk = { AA BB CC DD }
    $chunk_prologue = { 11 22 33 44 }

## high_entropy_pe_rules.yar
/*

Original rule from: https://gist.github.com/g-les/0745a9d6cd7f4abb3083a8dee1eaf984

Two variations on the original rule by @greglesnewich.

Conversation on Twitter at: https://twitter.com/edeca/status/1477650229709225990

*/

## server.py
import socket
import hashlib
import struct

import time


class IdUid:
    def __init__(self):

## nozomi_upx.yara
// https://github.com/NozomiNetworks/upx-recovery-tool
rule UPX_nozomi_x86
{
  strings: $sig = { 50 e8 ?? ?? 00 00 eb  5a 58 59 97 60 8a 54 24 20 e9 ?? ?? 00 00 60 8b 74 24 24 8b 7c 24 2c 83 cd}
  condition: any of them
}

rule UPX_nozomi_x64
{
  strings:

## 100_days_of_yara.yar
/*
Goals for #100DaysofYARA:

better understanding of bitwise operators
use math module beyond general entropy of a section / resource
position specific things beyond what PE module tells us
do some funky stuff with hashing


*/

## casing_anomaly.yar
rule general_win_runkey_casing_anomaly : General
{
    meta:
        author = "threatintel@volexity.com"
        description = "Looks for files containing to a reference to the HKCU run key where the reference uses unusual casing."
        date = "2021-08-03"
        hash1 = "c20997c72508bc7340f4ec99fe9eb4f1ccde518e81bda66e7c86632f0748bffa"
        memory_suitable = 0

    strings:

## entropy_functions.yar
import "math"

rule general_vba_high_entropy_function_names : General
{
    meta:
        author = "threatintel@volexity.com"
        description = "Looks for VBA files containing function names that have been randomized based on their entropy."
        date = "2022-03-14"
        hash1 = "c2badcdfa9b7ece00f245990bb85fb6645c05b155b77deaf2bb7a2a0aacbe49"
        memory_suitable = 0

## entropy.yar
// Add as an alias like:
// alias entropy=yara /path/to/entropy.yar $*

// Usage:
// entropy file.bin

import "console"
import "math"

rule entropy
	rule terminal_services_scripting {
	meta:
	author = "David Cannings"
	description = "Microsoft Terminal Services Client Control (not safe for scripting)"
	ref = "https://twitter.com/joe4security/status/1221765460502421504?s=20%E2%80%9D"
	generated_by = "yaml2yara, see https://github.com/nccgroup/yaml2yara/"

	strings:
	// Parsers will open files without the full 'rtf'
	$header_rtf = "{\\rt" nocase
	import "math"

	rule example {
	meta:
	author = "David Cannings"
	description = "Rule example - finding a chunk of code near other known code"

	strings:
	$chunk = { AA BB CC DD }
	$chunk_prologue = { 11 22 33 44 }
	/*

	Original rule from: https://gist.github.com/g-les/0745a9d6cd7f4abb3083a8dee1eaf984

	Two variations on the original rule by @greglesnewich.

	Conversation on Twitter at: https://twitter.com/edeca/status/1477650229709225990

	*/
	import socket
	import hashlib
	import struct

	import time



	class IdUid:
	def __init__(self):
	// https://github.com/NozomiNetworks/upx-recovery-tool
	rule UPX_nozomi_x86
	{
	strings: $sig = { 50 e8 ?? ?? 00 00 eb 5a 58 59 97 60 8a 54 24 20 e9 ?? ?? 00 00 60 8b 74 24 24 8b 7c 24 2c 83 cd}
	condition: any of them
	}

	rule UPX_nozomi_x64
	{
	strings:
	/*
	Goals for #100DaysofYARA:

	better understanding of bitwise operators
	use math module beyond general entropy of a section / resource
	position specific things beyond what PE module tells us
	do some funky stuff with hashing


	*/
	rule general_win_runkey_casing_anomaly : General
	{
	meta:
	author = "threatintel@volexity.com"
	description = "Looks for files containing to a reference to the HKCU run key where the reference uses unusual casing."
	date = "2021-08-03"
	hash1 = "c20997c72508bc7340f4ec99fe9eb4f1ccde518e81bda66e7c86632f0748bffa"
	memory_suitable = 0

	strings:
	import "math"

	rule general_vba_high_entropy_function_names : General
	{
	meta:
	author = "threatintel@volexity.com"
	description = "Looks for VBA files containing function names that have been randomized based on their entropy."
	date = "2022-03-14"
	hash1 = "c2badcdfa9b7ece00f245990bb85fb6645c05b155b77deaf2bb7a2a0aacbe49"
	memory_suitable = 0
	// Add as an alias like:
	// alias entropy=yara /path/to/entropy.yar $*

	// Usage:
	// entropy file.bin

	import "console"
	import "math"

	rule entropy