How to Install YARA on Ubuntu

Ahmet Aytemiz
Posted:
May 10, 2024
Home
Posts
Cybersecurity
How to Install YARA on Ubuntu
Contents
Example H2

YARA (Yet Another Ridiculous Acronym) is an open-source pattern-matching tool developed by VirusTotal in 2008. YARA was designed with malware in mind. Quoting the tool's creator: "YARA is a tool aimed at (but not limited to) helping malware researchers identify and classify malware samples."

YARA is used in various areas of the cybersecurity industry such as

  • Threat Detection and Analysis
  • Incident Response
  • Threat Intelligence

Many cybersecurity products use YARA rules to detect cybersecurity events. Examples include next-generation firewalls, email security systems, EDR, and antivirus systems.

Incident responders can use YARA to scan memory dumps from compromised machines, so it is clear that YARA plays an essential role in classifying malware and proactively defending against malicious actors.

Requirements:

  • Ubuntu operating system running on a physical or virtual machine
  • A stable internet connection to download the Wireshark packages
  • Your best hypervisor if you use a virtual machine

Steps:

  • Get the latest package list with apt-get
  • Install YARA on the Ubuntu
  • Create a YARA Rule
  • Run the YARA Rule and Search for a Pattern
  • Bonus: Detecting Webshells on the Apache Web Server with YARA

Get the Latest Package List with Apt-get

First, we should update the packages on the Ubuntu operating system using the following command:

sudo apt-get update

Now, we are ready to install YARA.

Install YARA on Ubuntu

Installing YARA on Ubuntu is quite easy. All you need to do is to use the following command:

sudo apt-get install yara -y

Create Simple a YARA Rule

At this step, we will create a simple YARA rule to search the letsdefend pattern. After we create the YARA rule, we can search any file path in the operating system.

First, create a file name ending with ".yar" or ".yara" with your favorite text editor.

                    rule letsdefend {
              strings:
                  $string1 = "letsdefend"
              condition:
                  $string1
          }

Run the YARA Rule and Search for a Pattern

In this case, the pattern contains only the letsdefend string, and we can search it in any location on the operating system files. Next, we will execute this rule on the /etc/passwd file of the operating system. If YARA finds any pattern, it shows us which rule found it.

yara letsdefend.yara /etc/passwd

Detecting Webshells with YARA

Let's assume that this Ubuntu machine has an Apache web server and a PHP file upload vulnerability. An attacker has uploaded a PHP webshell to the server. Let us find the uploaded PHP webshell file with YARA.

First, we will use this YARA rule to scan the Apache Web Server.

You can easily download the YARA rule set from GitHub via "Download raw file".

Open a terminal and go to Download Path, then scan /var/www/htmldirectory with YARA using following command:

yara extended.webshell_detection.yara /var/www/html

Conclusion

In this article, we explained what YARA is, why YARA is used in the cybersecurity industry, how we can install YARA on Ubuntu and finally, we have detected a PHP webshell on the Apache web server with YARA.

Share
letsdefend description card

You might also be interested in ...

How to detect Directory Traversal Attacks

November 13, 2024

Malware Analyst Interview Questions ans Answers

November 10, 2024

Threat Hunter Interview Questions and Answers

November 6, 2024

Start learning cybersecurity today

Explore courses