Frequently Asked Questions (FAQ)

Got a question? Hopefully, you’ll find the answer here! If not, please contact us using the contact form below, managed by our partner, Spamhaus:

https://www.spamhaus.com/contact-us-abuse-ch/

How does YARAify work? What impact does YARAify data have? What formats is YARAify data available in? YARAhub Rule Guidelines What is TLP? Can I use data from YARAify commercially? Terms of Services (ToS)

How does YARAify work?

YARAify is a platform which allows IT security researchers to scan files against a large set of public and non-public YARA rules. Such files could be suspicious files obtained e.g. by email, unpacked samples or suspicious process dumps. YARAify features a large set of public YARA rules. However, it also includes such from Malpedia. In order to see matches of non-public YARA rules from Malpedia, you need to have an Malpedia account and link your Malpedia API-key with your YARAify account.

You may scan files through the web UI or the extensive API. When doing so, you can choose whether you also want to scan the file with ClamAV and/or unpack it (available for PE executables / DLL files only). You may also indicate whether you want to share the sample with the community.

You can setup custom live hunting rules. Whenver a new file is observed on YARAify matching your hunting rule, you will get notify either by email or Pushover. You may also deploy your own YARA rules. However, to do so, you need to authenticate with your abuse.ch account first.

What impact does YARAify data have?

So far, over 110 million files have been scanned with YARAify. With this intelligence, as a community, we have:

Deployed 21'635 YARA rules, aiding security researchers to more efficiently detect, analyze and hunt malware-related threats with this vast volume of pattern-matching rules
Answered around 220 million API requests in 30 days, enabling other threat researchers (statistic from October 2024), providing real-time insights for threat hunting and mitigation
Assisted major law enforcement agencies in some of the biggest global takedown efforts, such as Operation Endgame

Your data is also contributing to the effectiveness and impact of Spamhaus’ datasets to enhance email and network protection while providing more context-rich data for threat hunting.

Read more about the impact of your contributions here.

What formats is YARAify data available in?

You can access data for files scanned on YARAify through a number of different methods:

Browse the YARAify database
Access via API
Real time feeds, provided by our partner, Spamhaus

Additionally, files scanned using YARAify influence Spamhaus’ Hash Dataset. The dataset includes cryptographic hashes linked to malicious content, used for protecting and/or filtering emails. This dataset is accessible through DNS Blocklists (DNSBLs).

YARAhub Rule Guidelines

Before you deploy your own YARA rules on YARAhub, we strongly recommend you to read through this FAQ carefully. It does not only describe what optional and mandatory YARA meta fields YARAhub interprets but also how you can keep control over your YARA rule, i.e. if and under which circumstances it should be shared.

The table below documents all optional and mandatory YARA meta fields which YARAhub will interpret:

meta field	Required?	Comment	Sample value
`author`	No	Name of the YARA rule author	John Doe
`description`	No	Short description of the YARA rule	Detects holes in Swiss cheese
`date`	Yes	Date when the YARA rule has been written. Format: `YYYY-MM-DD`	2022-04-26
`yarahub_author_twitter`	No	Twitter handle of the YARA rule author	@abuse_ch
`yarahub_author_email`	No	Email address of the YARA rule author	we-love-yarahub@abuse.ch
`yarahub_reference_link`	No	Online reference (hyperlink) for this YARA rule	https://abuse.ch/yara-is-so-cool/
`yarahub_reference_md5`	Yes	MD5 hash of a sample (file) that should match this YARA rule	68b329da9893e34099c7d8ad5cb9c940
`yarahub_uuid`	Yes	A unique UUID 4 identifying this YARA rule	cc480388-aeb6-4852-b800-c69e4457bd94
`yarahub_license`	Yes	Creative Commons license under which you want to share your YARA rule.	CC0 1.0
		Please choose from one of the possible values:
		Value	Description
		CC0 1.0	Public domain, no copyright
		CC BY 4.0	Attribution required
		CC BY-SA 4.0	Attribution required, share alike
		CC BY-ND 4.0	Attribution required, no derviatives
		CC BY-NC 4.0	Attribution required, no commercial
		CC BY-NC-SA 4.0	Attribution required, no commercial, share alike
		CC BY-NC-ND 4.0	Attribution required, no commercial, no derivatives
`yarahub_rule_matching_tlp`	Yes	This TLP defines whether YARA matches of this rule should be publicly visible or not	TLP:WHITE
`yarahub_rule_sharing_tlp`	Yes	This TLP defines whether the YARA rule itself should be shared or not	TLP:WHITE
`malpedia_family`	No	Malware family name using Malpedia naming scheme	win.emotet

Here's an example how the meta information of YARA rule may look like:

rule test_rule_YARAify {

  meta:
      author = "John Doe - Big Data and Machine Learning Cyber Threat Company LLC"
      description = "Detects holes in Swiss cheese"
      date = "2022-04-26"
      yarahub_author_twitter = "@abuse_ch"
      yarahub_author_email = "we-love-yarahub@abuse.ch"
      yarahub_reference_link = "https://abuse.ch/yara-is-so-cool/"
      yarahub_reference_md5 = "68b329da9893e34099c7d8ad5cb9c940"
      yarahub_uuid = "bcbf6764-19ae-44f1-adb1-db0d23c100fb"
      yarahub_license = "CC0 1.0"
      yarahub_rule_matching_tlp = "TLP:WHITE"
      yarahub_rule_sharing_tlp = "TLP:GREEN"
      malpedia_family = "win.emotet"

  strings:
    [...]

  condition:
    [...]
}

A few general comments on writing & submitting YARA rules to YARAhub:

Malpedia family: When writing YARA rules, we recommend you to include the corresponding malware family name from Malpedia whenever possible
Sharing is caring: If you don't want to make your YARA rule available to the public, that's fine. However, we want to encourange you to make at least the matches matching your YARA rule available to the community. In this case, we suggest to set the meta fields as follow:

yarahub_rule_matching_tlp: TLP:WHITE
yarahub_rule_sharing_tlp: TLP:GREEN (or TLP:AMBER or TLP:RED)
yarahub_license: CC0 1.0

TLP scope: If you choose yarahub_rule_matching_tlp: TLP:WHITE, all meta fields of your YARA rule will be visible to the public, no matter what TLP classification you choose for yarahub_rule_sharing_tlp. If you want to avoid that anything of your YARA rule (including the rule's content and any matches) is shown in public, please choose a different value than TLP:WHITE for yarahub_rule_matching_tlp. This will turn your YARA rule into a silent hunting rule. Further information on the TLP classification is available here

What is TLP?

The Traffic Light Protocol (TLP) defines the sharing policy of an information. YARAify is using TLP to provide an author of a YARA rule on YARAhub the posibility defining if and how the YARA rule (yarahub_rule_sharing_tlp) and/or the corresponding YARA rule matches (yarahub_rule_matching_tlp) should be shared. YARAiy is using TLP definition from the Forum of Incident Response and Security Teams (first.org). Below a short summary how YARAify will handle YARA rules under the different TLP classifications.

TLP classification	Meaning
TLP:WHITE	Matching files and/or the YARA rule itself is publicly accessible and being shared with anyone.
TLP:GREEN	Matching files and/or the YARA rule itself is not public. However, they might be accessible and being shared within the abuse.ch ecosystem (e.g. MalwareBazaar) along with vendors (while taking `yarahub_license` in account) excluding authenticated YARAify users.
TLP:AMBER	Matching files and/or the YARA rule itself is not public. It is used within the abuse.ch ecosystem exclusively.
TLP:RED	Matching files and/or the YARA rule itself is not public. It is exclusively being used within YARAify.

We recommend you to set yarahub_rule_matching_tlp to TLP:WHITE. If you don't want to share your YARA rule in public, we recommend you to use TLP:GREEN or TLP:AMBER for yarahub_rule_sharing_tlp. We would like to encourange you to not use TLP:RED. Please also note that even if you share your YARA rule in public, it doesn't necessarily mean that vendors or 3rd parties can use your rule in a commercial matter. There is a dedicated meta field called yarahub_license with which you can the license type of your YARA rule using (by using Creative Commons).

Can I use data from YARAify commercially?

Yes! You can use any data provided by YARAify for commercial and non-commercial purpose - for free. This includes reselling or ingeration into commercial products. Please take note that YARA rules have a separate license agreement. You are obliged to respect the license agreement chosen by the author of the YARA rule.

Terms of Services (ToS)

By using the website of YARAify or any of it's services / datasets, you agree that:

All datasets offered by YARAify can be used for both, commercial and non-commercial purpose for free without any limitations (CC0)
Any data offered by YARAify is served as it is on best effort with no warranty
YARAify can not be held liable for any false positives or damage caused by the use of the website or the datasets provided
Any submission to YARAify will be treated and shared under TLP:CLEAR and under Creative Commons No Rights Reserved (CC0)