YARA Reference

The reference covers six categories: Strings (text and hex string definitions with nocase, wide, ascii, fullword modifiers), Conditions (boolean logic, occurrence counting, offset conditions, set operations like any of them and N-of-M), Modules (PE for Windows executables, ELF for Linux binaries, math for entropy, hash for MD5/SHA verification), Metadata (author, description, date, reference fields), Regex (regular expression patterns with /i and /s flags), and Execution (yara CLI commands for scanning files and directories).

nocase makes string matching case-insensitive, so "Malware" matches "malware", "MALWARE", etc. wide matches UTF-16 encoded strings (common in Windows), where each ASCII character is followed by a null byte. ascii matches standard single-byte strings. You can combine ascii wide to match both encodings. fullword ensures the string appears as a complete word — "domain" with fullword matches "domain.com" but not "subdomain" because the string must be bounded by non-alphanumeric characters or file boundaries.

Use the math module to check entropy: import "math" and then set the condition to math.entropy(0, filesize) > 7.0. Files with entropy above 7.0 (on a scale of 0-8) are likely compressed, packed, or encrypted, as their byte distribution is nearly random. You can also combine this with PE module checks: pe.number_of_sections > 5 or checking for unusual section names, which are common indicators of packing. For specific packers, match their characteristic byte signatures using hex strings.

"any of them" matches if any of the strings defined in the rule are found in the target file. This is useful when a malware family uses different variants of command strings. "all of them" requires every defined string to be present. You can use wildcards: "all of ($a*)" requires all strings starting with $a. For more precise control, "2 of ($a, $b, $c)" requires at least 2 of the 3 specified strings to match. These set operations are essential for writing rules that detect malware families with variable indicators.

Define hex strings with curly braces: $hex = { 4D 5A 90 00 } matches the exact byte sequence (in this case, a standard MZ/PE header). You can use wildcards: { 4D 5A ?? 00 } where ?? matches any single byte. Jumps are specified with brackets: { 4D 5A [2-4] 00 } matches 2 to 4 arbitrary bytes between 4D 5A and 00. Alternatives use parentheses: { (4D 5A | 7F 45) } matches either MZ or ELF headers. These features make hex strings powerful for matching binary signatures that have minor variations across samples.

YARA modules extend rule capabilities beyond simple string matching. This reference covers four modules: pe (analyzes Windows PE files — section count, imports, exports, timestamps, resources), elf (analyzes Linux ELF binaries — file type ET_EXEC/ET_DYN, sections, symbols), math (mathematical functions — entropy calculation for detecting packed/encrypted content), and hash (cryptographic hashes — verify MD5, SHA1, SHA256 of files or file regions). Modules are loaded with import "module_name" and their functions/properties are used in the condition section.

Basic scan: yara rules.yar target.exe applies rules to a single file. Recursive directory scan: yara -r rules.yar /path/to/directory/ scans all files in the directory tree. Show matched strings with offsets: yara -s rules.yar target.exe displays which strings matched and where. Count-only mode: yara -c rules.yar target.exe outputs just the rule name and match count. You can combine flags: yara -r -s rules.yar /samples/ recursively scans and shows matched strings for all files.

No. The entire YARA reference dataset is embedded in the page and rendered client-side. Searching, filtering by category (Strings, Conditions, Modules, Metadata, Regex, Execution), and browsing entries all happen within your browser using JavaScript. No YARA rules, file data, or search queries are transmitted to any server.