|
|
|
|
|
rule NumberOne
{
meta:
desc = "Sonala"
weight = 10
strings:
$a = {6A 40 68 00 30 00 00 6A 14 8D 91}
$b = {8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9}
$c = "UVODFRYSIHLNWPEJXQZAKCBGMT"
condition:
$a or $b or $c
}|
Part
|
Usage
|
||
|---|---|---|---|
|
rule
|
The YARA rule name. Must be unique and cannot contain spaces.
|
||
|
meta:
|
Indicates that the "meta" section begins. Parts in the meta section do not affect
detection.
|
||
|
desc
|
Optional part that can be used to describe the rule.
|
||
|
weight
|
Optional part that must be between 1 and 10 that determines the risk level if rule
conditions are met:
|
||
|
strings:
|
Indicates that the "strings" section begins. Strings are the main means of detecting
malware.
|
||
|
$a / $b / $c
|
Strings used to detect malware. Must begin with a $ character followed by one of more
alphanumeric characters and underscores.
|
||
|
condition:
|
Indicates that the "condition" section begins. Conditions determine how your strings
are used to detect malware.
|
||
|
$a or $b or $c
|
Conditions are Boolean expressions that define the logic of the rule. They tell the
condition under which a submitted object satisfies the rule or not. Conditions can
range from the typical Boolean operators and, or and not, to relational operators >=, <=, <, >, == and !=. Arithmetic operators (+, -, *, \, %) and bitwise operators (&, |, <<, >>, ~, ^) can be used on numerical expressions.
|
