Skip to content

Yara#

Yara#

Author: Nils Kuhnert, CERT-Bund; Fabien Bloume, StrangeBee
License: AGPL-V3
Version: 3.0
Supported observables types:
- file
Registration required: N/A
Subscription required: N/A
Free subscription: N/A
Third party service: N/A

Description#

Check files against YARA rules, either from local filesystem or from one or multiple GitHub repositories. NOTE: Performance & execution time may be much longer according to the number of rules checked.

Configuration#

rules Define the path rules folder
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values True
Is required False
github_urls GitHub URLs to get rules from. Expected format: https://github.com/owner/repo/tree/main or https://github.com/owner/repo/tree/main/subdir
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values True
Is required False
github_token GitHub Private Access Token
Default value if not configured N/A
Type of the configuration item string
The configuration item can contain multiple values False
Is required False
files_limit Enforce a limit on the number of YARA files downloaded or tested against the file. Adjust with care as this may impact analysis time and resources on your Cortex instance.
Default value if not configured 400
Type of the configuration item number
The configuration item can contain multiple values False
Is required False

Templates samples for TheHive#

No template samples to display.