Skip navigation.
Home

YARA 1.3 released

I'm glad to announce a new version of YARA which includes three new major features, some of them inspired by requests and suggestions of some users out there. They are:

* C-style includes. Now you can include a YARA source file into another just like you do in your C programs with the #include pre-processor directive.

* Metadata in rules. Rules now can contain associated metadata in identifier/value pairs. Metadata information can be string, integer or boolean values. This metadata can be accessed later from the yara-python extension.

* Multi-source compilation in yara-python. A group of YARA source files can be compiled together in yara-python. In this way rules from different sources can be matched at the same time against your data, which is more efficient than compiling and matching each source independently.

Here is an example of the "include" and "metadata" features:

include "./includes/some_other_rules.yar"

rule silent_banker : banker
{
    meta:                                         
        description = "This is just an example"
        thread_level = 3
        in_the_wild = true

    strings: 
        $a = {6A 40 68 00 30 00 00 6A 14 8D 91}  
        $b = {8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9}
        $c = "UVODFRYSIHLNWPEJXQZAKCBGMT"
    condition:
        $a or $b or $c
}

For more info:
http://code.google.com/p/yara-project/