In the third post of the Know Your YARA Rules series, we will look at the last release of the YARA tool and reasons why it is a good idea to be up to date about new versions of this open-source project.
We will tell you about the interesting new features, important fixes, and extra tips on how to keep up with all the changes.
Motivation
Recently, a new release candidate (pre-release) was announced with an exciting list of changes in the YARA tool. We decided to investigate this more closely and explain why you may find the YARA releases and pre-releases valuable to your work.
Note that even though this is not an official release yet, the changes can appear on VirusTotal in advance.
Bug fixes
As with any software, YARA has occasional bugs and unsolved issues. Luckily, an active community is working strenuously to fix every problem that arises as soon as possible. Because the project is open source; you can check every change and fix and test it before updating your YARA. Every release has a transparent list of changes, so you know what to expect with each update.
In the last release candidate, a few changes can change the evaluation of your rules. Namely, there were fixes for matching of regexes marked as “ascii wide”, matching rules with – -fast-scan option, and computation of the imphash function in the PE module.
It is good that these issues were fixed but be prepared that your rules can behave differently based on the version of YARA you are using.
New features
New features are always exciting. At Gen, we use rules that others have created, and we are also constantly working on providing them to the community. In this pre-release, we have two changes from our team.
@TommYDeeee exposed the RVA function in its raw form via pe.export_details[] before it is turned into offset via RVA->offset calculation. You can use such as:
import "pe"
rule test {
condition:
pe.number_of_resources == 1 and
pe.export_details[0].rva == 0x106c and
pe.resources[0].length == 888
}Code language: CSS (css)@regeciovad also added a new warning about the performance issues while scanning that can help you improve your rules’ performance.
$ cat rule.yar
rule rule_com {
strings:
$com = /.{1,2}\.com/
condition:
$com
}
$ ./yara rule.yar top-1m.csv
warning: rule "rule_com": scanning with string $com is taking a very long time, it is either too general or very common.
rule_com top-1m.csvCode language: PHP (php)Our goal was to create a deterministic way to detect potentially slow scanning due to a lower quality of rules. We came up with additional checks that indicate that the rule uses very general or common strings, leading to slow scanning. For more tips, visit our previous post about YARA’s performance.
LNK module
A new module for Windows Shell Link (LNK) file format was part of the candidate release created by @BitsOfBinary. This change was reverted due to some open issues (see the discussion here for more details: https://github.com/VirusTotal/yara/pull/1957). Even though we need to wait a little longer for this module, we welcome the initiative as we believe the modules are the future of YARA. We plan more posts about the existing modules (and possibly even planned ones), so stay tuned.
The improved performance
The second feature we are excited about was created by user @secDre4mer. While using a large ruleset, they noticed that the condition evaluation takes up a lot of time (the bytecode evaluation) and came up with a helpful optimalization.
If the rule requires a string match and YARA does not find any match in the specific input, the condition evaluation part can be skipped entirely because the rule will always be false in the end.
We are currently testing this improvement and we are excited to use it in our internal version of YARA.
Keep up with the changes
Life can get busy, and we understand that keeping up with the news about YARA can be challenging. If you are reading this blog post, you are most likely well-informed. However, you may still benefit from checking these extra resources that provide great updates and information about YARA rules. Twitter (or X) is still a good resource, and we recommend following these profiles:
Contribute
We already emphasized the benefit of YARA being an open-source project, but we also encourage you to contribute to the YARA project. Reporting issues, discussing ideas, or even creating your own changes moves the whole community forward.
There is a very promising new project YARA-X that can change the YARA world completely. We plan to dedicate a whole post of our series to this new project. For now, if you are interested in YARA development, you should start to watch this project and learn something about Rust if you are not familiar with that programming language.
Stay tuned for more updates about this project and more topics.
Conclusion
YARA is an open project with a very active community that continually improves the tool and fixes issues as soon as possible. From time to time, we recommend checking the latest changes and evaluating if you would benefit from updating your version of this tool (even though, in most cases, the answer is yes).
As we looked at the last pre-release, there are several interesting changes, and even more exciting things are coming.
And that is all for today! We wish you happy YARA rules writing!