Examples of YARA rules being created/used. Not all examples are provided. Only the basics are and further research may be required on your own.
Do not add YARA imports to your rules. They are by default implemented into Storm.
Basic String Based Rule
Checks if the specific string(s) below are found in the file's PE data.
rule example_detection_name { // Name of the detection
meta:
rule_name = "Example Cheat" // name of the cheat
type = "Detect" // Warning or Detect
strings: // Checks the pe data of a file
$string1 = "foobar" // String value
condition:
$string1 // If text string is found, then flag
}
In this example, foobar is the string being searched.
Basic Hex Based Rule
Checks if the specific hex value(s) below are found in the file's PE data.
rule example_detection_name { // Name of the detection
meta:
rule_name = "Example Cheat" // name of the cheat
type = "Warning" // Warning or Detect
strings: // Checks the pe data of a file
$hex_string = { 48 89 E5 55 48 83 EC 10 } // Hex value
condition:
$hex_string // If hex string is found, then flag
}
In this example, the hex value 48 89 E5 55 48 83 EC 10 is the hex value being searched.
Basic String and Hex Based Rule
rule example_detection_name { // Name of the detection
meta:
rule_name = "Example Cheat" // name of the cheat
type = "Detect" // Warning or Detect
strings: // Checks the pe data of a file
$string1 = "foobar" // String value
$string2 = { 48 89 E5 55 48 83 EC 10 } // Hex value
condition:
$string1 and $string2 // If both string and hex are found, flag
}
Storm also supports other module rules such as recursive, boolean, tags, classification, ranges, binary data matching, and much more. Your imagination is your limit.
