Getting Started
Trust CenterTourStatusPageSupport

Create a YARA rule

Learn how to add custom Yara rules to your environment.

Suggest Edits

Add YARA rules via Stairwell UI

Add a YARA rule to your environment using the Stairwell platform user interface.

  1. Log in to Stairwell
  2. Select the Environment for which you want to create YARA rules by using the top-left environment selector
  3. Click on Rules on the sidebar navigation
  4. Click on + New Rule, located on the top right underneath the query bar
  5. In the editor that appears on the right, create a YARA rule
  6. (Optional) Test your rule.
    1. Click Test Scan after you finish writing your new YARA rule
    2. (Optional) Input MD5, SHA-1, and SHA-256 hashes that you would like to test your rule against
    3. (Optional) Click Scan to test the strength of your new YARA rule
  7. Click Create to save your YARA rule

Add YARA rules via Stairwell Swell CLI

Using the Upload command, you can leverage the Swell command line utility to upload Yara rules into your environment.

Command:

./swell yara upload

Flags:

--attempts _int_

The default number of attempts Swell will make when uploading a new rule is 5. You can use this flag to increase the number of attempts if transient errors persist.

-f, --file _string_

This flag allows you to upload a single .txt file containing a list of .yar file locations that you wish to upload to your environment.

-h, --help

Use this flag if you need a reminder within Swell on the available upload flags.

--qps_limit _int_

Using this flag will allow you to change the number of queries per second. The default is 1. An increase in queries per second will increase the speed of your upload, while increasing the overall load on your host.

-r, --recursive

This flag will tell Swell to look in all folders within a folder. This is useful if you organize your YARA rules within a single “YARA Rule” folder, and then into different folders based on rule type within that folder, for example.

--replace_existing_rules

If you are uploading a rule with the same name as one currently in your environment, this flag will replace the one in your environment with the new rule. A duplicate rule will not upload without this flag.

Examples:

Upload a specific YARA rule file:

./swell yara upload --environment_id _yourenvironmentid_ “_filepath_”

Upload a specific YARA rule file and overwrite an existing rule with the same name:

./swell yara upload --environment_id _yourenvironmentid_ --replace_existing_rules “_filepath_”

Upload YARA rule files within a single folder:

./swell yara upload --environment_id _yourenvironmentid_ “_folderpath_”

Upload YARA rule files within multiple folders, within a folder (recursive):

./swell yara upload -r --environment_id _yourenvironmentid_ “_mainfolderpath_”

Updated about 1 year ago

What’s Next