YARA-CI

Defining variables

Sometimes your YARA rules make use of external variables that need to be defined while compiling the rules. If those variables are not defined at compilation time YARA will raise an error. For example, if you have a rule like the one below you may get an error because YARA can’t know the type and value of my_external_variable.

rule my_external_variable_greater_than_5
{
    condition:
        my_external_variable > 5
}

The error can be fixed if you declare the external variable by adding the following lines to your configuration file:

variables:
  my_external_variable: 10

YARA-CI infers the type of the variable from its value, so my_external_variable is clearly a number, matching the type expected in the rule. Of course, you can define multiple variables, with any of the supported types: integer, string and boolean.

variables:
  some_number: 10
  some_string: ""
  some_boolean: true

If your YARA rules are intended to be used with the Livehunt service in VirusTotal Intelligence declare the following variables:

variables:
  file_name: ""
  file_type: ""
  imphash: ""
  md5: ""
  new_file: true
  positives: 0
  sha1: ""
  sha256: ""
  signatures: ""
  ssdeep: ""
  submissions: 0
  tags: ""
  vhash: ""
  # Antivirus engines
  acronis: ""
  ad_aware: ""
  aegislab: ""
  ahnlab: ""
  ahnlab_v3: ""
  alibaba: ""
  alyac: ""
  antivir7: ""
  antivir: ""
  antiy_avl: ""
  apex: ""
  arcabit: ""
  avast: ""
  avast_mobile: ""
  avg: ""
  avira: ""
  avware: ""
  babable: ""
  baidu: ""
  bitdefender: ""
  bitdefendertheta: ""
  bkav: ""
  cat_quickheal: ""
  clamav: ""
  cmc: ""
  commtouch: ""
  comodo: ""
  crowdstrike: ""
  cybereason: ""
  cylance: ""
  cynet: ""
  cyren: ""
  drweb: ""
  egambit: ""
  elastic: ""
  emsisoft: ""
  endgame: ""
  escan: ""
  eset_nod32: ""
  f_prot: ""
  f_secure: ""
  fireeye: ""
  fortinet: ""
  gdata: ""
  ikarus: ""
  invincea: ""
  jiangmin: ""
  k7antivirus: ""
  k7gw: ""
  kaspersky: ""
  kingsoft: ""
  malwarebytes: ""
  max: ""
  maxsecure: ""
  mcafee: ""
  mcafee_gw_edition: ""
  microsoft: ""
  microworld_escan: ""
  nano_antivirus: ""
  nod32: ""
  nprotect: ""
  paloalto: ""
  panda: ""
  prevx1: ""
  qihoo_360: ""
  rising: ""
  sangfor: ""
  sentinelone: ""
  sophos: ""
  sunbelt: ""
  superantispyware: ""
  symantec: ""
  symantecmobileinsight: ""
  tachyon: ""
  tencent: ""
  thehacker: ""
  totaldefense: ""
  trapmine: ""
  trendmicro: ""
  trendmicro_housecall: ""
  trustlook: ""
  vba32: ""
  vipre: ""
  virobot: ""
  webroot: ""
  whitearmor: ""
  yandex: ""
  zillya: ""
  zonealarm: ""
  zoner: ""