yara-rule-authoring

Solid

Guides authoring of high-quality YARA-X detection rules for malware identification. Use when writing, reviewing, or optimizing YARA rules. Covers naming conventions, string selection, performance optimization, migration from legacy YARA, and false positive reduction. Triggers on: YARA, YARA-X, malware detection, threat hunting, IOC, signature, crx module, dex module.

API & Backend 5,501 stars 484 forks Updated 4 days ago CC-BY-SA-4.0

Install

View on GitHub

Quality Score: 90/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# YARA-X Rule Authoring Write detection rules that catch malware without drowning in false positives. > **This skill targets YARA-X**, the Rust-based successor to legacy YARA. YARA-X powers VirusTotal's production systems and is the recommended implementation. See [Migrating from Legacy YARA](#migrating-from-legacy-yara) if you have existing rules. ## Core Principles 1. **Strings must generate good atoms** — YARA extracts 4-byte subsequences for fast matching. Strings with repeated bytes, common sequences, or under 4 bytes force slow bytecode verification on too many files. 2. **Target specific families, not categories** — "Detects ransomware" catches everything and nothing. "Detects LockBit 3.0 configuration extraction routine" catches what you want. 3. **Test against goodware before deployment** — A rule that fires on Windows system files is useless. Validate against VirusTotal's goodware corpus or your own clean file set. 4. **Short-circuit with cheap checks first** — Put `filesize < 10MB and uint16(0) == 0x5A4D` before expensive string searches or module calls. 5. **Metadata is documentation** — Future you (and your team) need to know what this catches, why, and where the sample came from. ## When to Use - Writing new YARA-X rules for malware detection - Reviewing existing rules for quality or performance issues - Optimizing slow-running rulesets - Converting IOCs or threat intel into detection signatures - Debugging false positive issues - Preparing rules for p...

Details

Author
trailofbits
Repository
trailofbits/skills
Created
4 months ago
Last Updated
4 days ago
Language
Python
License
CC-BY-SA-4.0

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Featured

performing-yara-rule-development-for-detection

Develop precise YARA rules for malware detection by identifying unique byte patterns, strings, and behavioral indicators in executable files while minimizing false positives.

13,115 Updated today
mukul975
AI & Automation Solid

yara-rules-skill

YARA rule creation, testing, and deployment

1,160 Updated today
a5c-ai
AI & Automation Featured

performing-threat-hunting-with-yara-rules

Use YARA pattern-matching rules to hunt for malware, suspicious files, and indicators of compromise across filesystems and memory dumps. Covers rule authoring, yara-python scanning, and integration with threat intel feeds.

13,115 Updated today
mukul975
AI & Automation Featured

performing-malware-triage-with-yara

Performs rapid malware triage and classification using YARA rules to match file patterns, strings, byte sequences, and structural characteristics against known malware families and suspicious indicators. Covers rule writing, scanning, and integration with analysis pipelines. Activates for requests involving YARA rule creation, malware classification, pattern matching, sample triage, or signature-based detection.

13,115 Updated today
mukul975
Data & Documents Solid

malware-analysis--sandboxing

Static and dynamic malware analysis, YARA rule generation, sandbox configuration, behavioral profiling, and malware family classification

50 Updated 2 days ago
Masriyan