YARA-CI

What's YARA-CI

YARA-CI helps you to keep your YARA rules in good shape. It can be integrated into any GitHub repository containing YARA rules, and it will run automated tests every time you make some change. The automated tests include:

  • Rules validation
  • Detection of false positives
  • Detection of false negatives

Rules validation

With YARA-CI you won’t submit invalid rules to your repository anymore. You will get a detailed report with the issues found, including warnings about potentially bad performance rules.

Detection of false positives

False positives are a common issue with YARA rules. If your rules are not properly designed they can detect files that you didn’t intend to detect, including widely distributed files belonging to popular operating systems or software packages.

YARA-CI helps you to detect poorly designed rules by scanning a corpus of more than 1 million files extracted from the National Reference Software Library, a collection of well-known, traceable files maintained by the U.S. Department of Homeland Security.

Detection of false negatives

It’s common practice to include the hashes of one or more files that match a YARA rule in its own metadata. This is a simple way to convey information about the files that were used to create the rule, or some examples of the kind of files the rule is intended to detect. This is an example:

rule Agent_BTZ_Proxy_DLL_1 {
   meta:
      description = "Detects Agent-BTZ Proxy DLL - activeds.dll"
      license = "https://creativecommons.org/licenses/by-nc/4.0/"
      author = "Florian Roth"
      reference = "http://www.intezer.com/new-variants-of-agent-btz-comrat-found/"
      date = "2017-08-07"
      hash1 = "9c163c3f2bd5c5181147c6f4cf2571160197de98f496d16b38c7dc46b5dc1426"
      hash2 = "628d316a983383ed716e3f827720915683a8876b54677878a7d2db376d117a24"
   strings:
      $s1 = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Modules" fullword wide
   condition:
      ( uint16(0) == 0x5a4d and filesize < 300KB and all of them and pe.exports("Entry") )
}

For every hash mentioned in the metadata section of a rule, YARA-CI downloads the corresponding file from VirusTotal and checks the rule matches the file. The test will fail only if the file was found in VirusTotal and the rule does not match. If the file can’t be found the test is considered successful anyways.

YARA-CI extracts every string that looks like a SHA-256, SHA-1 or MD5 hash from metadata fields with names matching hash*, sha256*, sha1* or md5*. This behaviour can be fine-tuned as described in Configuration.