How to run Yara Rules during Incident Response

Forensic Labs
2 min readJun 3, 2018

A core part of intelligence driven incident response is searching relevant indicators across a compromised network. Yara is a popular choice for scanning the contents of files (as opposed to something like OpenIOC which can be used to quickly search across just meta-data).

But there are a number of ways to run Yara rules during incident response, beyond just the default Yara build.

We’ve built a platform to automate incident response and forensics in AWS — you can grab a free trial here. You can also download a free playbook we’ve written on how to respond to security incidents in AWS.

Vanilla Yara

You can download Yara compiled for Windows here (later releases are listed on this page — search for “windows binaries” in your browser to find the latest download link). If you get a complaint about missing, you’ll need to download the Microsoft Visual C++ 2010 Redistributable Package.

On Debian based systems such as Ubuntu, you can install Yara with:

apt-get install yara

On a Mac, you can run:

brew install yara

You can run yara rules easily, eg;

yara yara.rules -r /mnt/mounted

You can download a large set of Yara rules here, and there is an excellent guide on how to write your own Yara rules here.

You may want to compile the Yara rules — partially for speed, but also to protect them from stolen. Note however, that the rules can still be dumped from memory.

ClamAV

ClamAV now has the ability to run (most) Yara signtures, in addition to it’s own signature format.

ClamAV can be installed on Debian based systems with:

apt-get install clamav

Or on Redhat:

yum install clamav

Or downloaded directly for Windows.

You can then run yara rules with:

clamscan -d yara.rule -r /mnt

To scan all files under /mnt

ClamAV supports a number of command line paramters that can be useful when scanning during incident response.

For example, --max-filesize= can be used to restrict the maximum sized file that will be scanned.

Other Tools

There are a number of host-agent style tools that now allow you to scan systems with Yara. OsQuery and Yara-Endpoint are two great options, and there are many commercial solutions too.

C and Python Bindings

There are also python bindings for C and Python, that lets you write your own tools to scan systems with Yara.

Scanning Memory with Yara

You can scan the memory of systems with Yara using CrowdResponse or Google’s Rapid Response.

We’ve created a new tool to automate investigating and responding to security incidents in AWS and Azure — you can get a free trial here.

--

--