Skip to content

yara-authoring

Directory actions

More options

Directory actions

More options

Latest commit

 

History

History
 
 

yara-authoring

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
.claude-plugin
.claude-plugin
 
 
skills/yara-rule-authoring
skills/yara-rule-authoring
 
 
README.md
README.md
 
 

README.md

YARA-X Authoring Plugin

A behavior-driven skill for authoring high-quality YARA-X detection rules, teaching you to think and act like an expert YARA author.

YARA-X Focus: This skill targets YARA-X, the Rust-based successor to legacy YARA. YARA-X powers VirusTotal's Livehunt/Retrohunt production systems and is 5-10x faster for regex-heavy rules. Legacy YARA (C implementation) is in maintenance mode.

Philosophy

This skill doesn't dump YARA syntax at you. Instead, it teaches:

  • Decision trees for common judgment calls (Is this string good enough? When to abandon an approach?)
  • Expert heuristics (mutex names are gold, API names are garbage)
  • Rationalizations to reject (the shortcuts that cause production failures)

An expert uses 5 tools: yarGen, FLOSS, yr CLI, signature-base, YARA-CI. Everything else is noise.

Installation

YARA-X CLI

# macOS
brew install yara-x

# Or from source
cargo install yara-x

# Verify installation
yr --version

Python Package (for scripts)

pip install yara-x
# or with uv
uv pip install yara-x

Plugin

Add this plugin to your Claude Code configuration:

claude mcp add-plugin /path/to/yara-authoring

Skills

yara-rule-authoring

Guides authoring of YARA-X rules for malware detection with expert judgment.

Covers:

  • Decision trees for string quality, when to abandon approaches, debugging FPs
  • Expert heuristics from experienced YARA authors
  • Rationalizations to reject (common shortcuts that fail)
  • Naming conventions (CATEGORY_PLATFORM_FAMILY_DATE format)
  • Performance optimization (atom quality, short-circuit conditions)
  • Testing workflow (goodware corpus validation)
  • YARA-X migration guide for converting legacy rules
  • Chrome extension analysis with crx module
  • Android DEX analysis with dex module

Triggers: YARA, YARA-X, malware detection, threat hunting, IOC, signature

Scripts

The skill includes two Python scripts that require uv to run:

yara_lint.py

Validates YARA-X rules for style, metadata, compatibility issues, and anti-patterns:

uv run yara_lint.py rule.yar
uv run yara_lint.py --json rules/
uv run yara_lint.py --strict rule.yar

atom_analyzer.py

Evaluates string quality for efficient atom extraction:

uv run atom_analyzer.py rule.yar
uv run atom_analyzer.py --verbose rule.yar

Reference Documentation

Document Purpose
style-guide.md Naming conventions, metadata requirements
performance.md Atom theory, optimization techniques
strings.md String selection judgment, good/bad patterns
testing.md Validation workflow, FP investigation

Key Resources

Requirements

  • Python 3.11+
  • uv for running scripts
  • YARA-X CLI (yr)

The scripts use PEP 723 inline metadata, so dependencies are resolved automatically by uv run.

Migrating from Legacy YARA

If you have existing rules written for legacy YARA:

  1. Run validation: yr check --relaxed-re-syntax rules/
  2. Fix issues identified (see SKILL.md migration section)
  3. Validate without relaxed mode: yr check rules/

Note: Use --relaxed-re-syntax only as a temporary diagnostic tool. Fix all identified issues rather than relying on relaxed mode permanently.

Common migration issues:

  • Unescaped { in regex patterns
  • Invalid escape sequences (\R\\R)
  • Base64 patterns on strings < 3 characters
  • Negative array indexing