Frequently Asked Questions (FAQ)
Having questions? I hope that they are getting answerd here! If not, please do not hesitate to contact us through the Spamhaus Technology contact form:
https://www.spamhaus.com/contact-us-abuse-ch/
How does YARAify work?
YARAify is a platform which allows IT security researchers to scan files against a large set of public and non-public YARA rules. Such files could be suspicious files obtained e.g. by email, unpacked samples or suspicious process dumps. YARAify features a large set of public YARA rules. However, it also includes such from Malpedia. In order to see matches of non-public YARA rules from Malpedia, you need to have an Malpedia account and link your Malpedia API-key with your YARAify account.
You may scan files through the web UI or the extensive API. When doing so, you can choose whether you also want to scan the file with ClamAV and/or unpack it (available for PE executables / DLL files only). You may also indicate whether you want to share the sample with the community.
You can setup custom live hunting rules. Whenver a new file is observed on YARAify matching your hunting rule, you will get notify either by email or Pushover. You may also deploy your own YARA rules. However, to do so, you need to authenticate with your Twitter account first.
YARAhub Rule Guidelines
Before you deploy your own YARA rules on YARAhub, we strongly recommend you to read through this FAQ carefully. It does not only describe what optional and mandatory YARA meta
fields YARAhub interprets but also how you can keep control over your YARA rule, i.e. if and under which circumstances it should be shared.
The table below documents all optional and mandatory YARA meta
fields which YARAhub will interpret:
meta field | Required? | Comment | Sample value |
---|---|---|---|
author | No | Name of the YARA rule author | John Doe |
description | No | Short description of the YARA rule | Detects holes in Swiss cheese |
date | Yes | Date when the YARA rule has been written. Format: YYYY-MM-DD | 2022-04-26 |
yarahub_author_twitter | No | Twitter handle of the YARA rule author | @abuse_ch |
yarahub_author_email | No | Email address of the YARA rule author | we-love-yarahub@abuse.ch |
yarahub_reference_link | No | Online reference (hyperlink) for this YARA rule | https://abuse.ch/yara-is-so-cool/ |
yarahub_reference_md5 | Yes | MD5 hash of a sample (file) that should match this YARA rule | 68b329da9893e34099c7d8ad5cb9c940 |
yarahub_uuid | Yes | A unique UUID 4 identifying this YARA rule | d670e181-b424-4707-928e-97601834cc8b |
yarahub_license | Yes | Creative Commons license under which you want to share your YARA rule. | CC0 1.0 |
Please choose from one of the possible values: | |||
Value | Description | ||
CC0 1.0 | Public domain, no copyright | ||
CC BY 4.0 | Attribution required | ||
CC BY-SA 4.0 | Attribution required, share alike | ||
CC BY-ND 4.0 | Attribution required, no derviatives | ||
CC BY-NC 4.0 | Attribution required, no commercial | ||
CC BY-NC-SA 4.0 | Attribution required, no commercial, share alike | ||
CC BY-NC-ND 4.0 | Attribution required, no commercial, no derivatives | ||
yarahub_rule_matching_tlp | Yes | This TLP defines whether YARA matches of this rule should be publicly visible or not | TLP:WHITE |
yarahub_rule_sharing_tlp | Yes | This TLP defines whether the YARA rule itself should be shared or not | TLP:WHITE |
malpedia_family | No | Malware family name using Malpedia naming scheme | win.emotet |
Here's an example how the meta information of YARA rule may look like:
rule test_rule_YARAify { meta: author = "John Doe - Big Data and Machine Learning Cyber Threat Company LLC" description = "Detects holes in Swiss cheese" date = "2022-04-26" yarahub_author_twitter = "@abuse_ch" yarahub_author_email = "we-love-yarahub@abuse.ch" yarahub_reference_link = "https://abuse.ch/yara-is-so-cool/" yarahub_reference_md5 = "68b329da9893e34099c7d8ad5cb9c940" yarahub_uuid = "bcbf6764-19ae-44f1-adb1-db0d23c100fb" yarahub_license = "CC0 1.0" yarahub_rule_matching_tlp = "TLP:WHITE" yarahub_rule_sharing_tlp = "TLP:GREEN" malpedia_family = "win.emotet" strings: [...] condition: [...] }
A few general comments on writing & submitting YARA rules to YARAhub:
- Malpedia family: When writing YARA rules, we recommend you to include the corresponding malware family name from Malpedia whenever possible
- Sharing is caring: If you don't want to make your YARA rule available to the public, that's fine. However, we want to encourange you to make at least the matches matching your YARA rule available to the community. In this case, we suggest to set the
meta
fields as follow: yarahub_rule_matching_tlp
: TLP:WHITEyarahub_rule_sharing_tlp
: TLP:GREEN (or TLP:AMBER or TLP:RED)yarahub_license
: CC0 1.0- TLP scope: If you choose
yarahub_rule_matching_tlp: TLP:WHITE
, allmeta
fields of your YARA rule will be visible to the public, no matter what TLP classification you choose foryarahub_rule_sharing_tlp
. If you want to avoid that anything of your YARA rule (including the rule's content and any matches) is shown in public, please choose a different value thanTLP:WHITE
foryarahub_rule_matching_tlp
. This will turn your YARA rule into asilent
hunting rule. Further information on the TLP classification is available here
What is TLP?
The Traffic Light Protocol (TLP) defines the sharing policy of an information. YARAify is using TLP to provide an author of a YARA rule on YARAhub the posibility defining if and how the YARA rule (yarahub_rule_sharing_tlp
) and/or the corresponding YARA rule matches (yarahub_rule_matching_tlp
) should be shared. YARAiy is using TLP definition from the Forum of Incident Response and Security Teams (first.org). Below a short summary how YARAify will handle YARA rules under the different TLP classifications.
TLP classification | Meaning |
---|---|
TLP:WHITE | Matching files and/or the YARA rule itself is publicly accessible and being shared with anyone. |
TLP:GREEN | Matching files and/or the YARA rule itself is not public. However, they might be accessible and being shared within the abuse.ch ecosystem (e.g. MalwareBazaar) along with vendors (while taking yarahub_license in account) excluding authenticated YARAify users. |
TLP:AMBER | Matching files and/or the YARA rule itself is not public. It is used within the abuse.ch ecosystem exclusively. |
TLP:RED | Matching files and/or the YARA rule itself is not public. It is exclusively being used within YARAify. |
We recommend you to set yarahub_rule_matching_tlp
to TLP:WHITE. If you don't want to share your YARA rule in public, we recommend you to use TLP:GREEN or TLP:AMBER for yarahub_rule_sharing_tlp
. We would like to encourange you to not use TLP:RED. Please also note that even if you share your YARA rule in public, it doesn't necessarily mean that vendors or 3rd parties can use your rule in a commercial matter. There is a dedicated meta field
called yarahub_license
with which you can the license type of your YARA rule using (by using Creative Commons).
Can I use data from YARAify commercially?
Yes! You can use any data provided by YARAify for commercial and non-commercial purpose - for free. This includes reselling or ingeration into commercial products. Please take note that YARA rules have a separate license agreement. You are obliged to respect the license agreement chosen by the author of the YARA rule.
Terms of Services (ToS)
By using the website of YARAify or any of it's services / datasets, you agree that:
- All datasets offered by YARAify can be used for both, commercial and non-commercial purpose for free without any limitations (CC0)
- Any data offered by YARAify is served as it is on best effort with no warranty
- YARAify can not be held liable for any false positives or damage caused by the use of the website or the datasets provided
- Any submission to YARAify will be treated and shared under TLP:WHITE and under Creative Commons No Rights Reserved (CC0)