What is a YARA Rule?

A Yara rule is like a recipe for identifying specific types of computer files or patterns within files that might be harmful or of interest for some reason. For example, a Yara rule might identify a specific string of code related to a particular ransomware strain. Conversely, a Yara rule may be used to identify files that warrant further investigation based on a specific criteria such a a file ending in .exe being found in the "Photos" folder where executable files are rarely found. In this context, Yara is both a framework as well as a language syntax that describes "signatures" of files to varying degrees of specificity.

In Stairwell, Yara rules are both a fully custom as well as a globally shared resource for detecting signatures related to malicious files. Customers have the ability to write their own Yara rules that stay private within their environment while also having access to thousands of public and licensed Yara rules. This shared library is comprised of rules written by experts from around the globe and amassing decades of threat hunting, reverse engineering, and detection refinement experience.

Every Yara rule once activated, performs two distinct but crucially important tasks continuously 24/7/365.

  1. Every new or newly activated rule is scanned across every file/object past and present, in your environment. This means that it scans every file collected regardless of when it was collected or where it was collected from (even hosts that no longer exist).
  2. Every new file/object is scanned by every active Yara rule upon ingestion to your environment. This allows for an infinitely flexible way to evolve and improve detections in real-time.

What’s Next

Dive deeper into how Yara rules are leveraged on the Stairwell platform.