Basic Rule Examples

Examples of YARA rules being created/used. Not all examples are provided. Only the basics are and further research may be required on your own.

Do not add YARA imports to your rules. They are by default implemented into Storm.

Basic String Based Rule

Checks if the specific string(s) below are found in the file's PE data.

rule example_detection_name { // Name of the detection
	meta:
	    rule_name = "Example Cheat" // name of the cheat
	    type = "Detect" // Warning or Detect
	strings: // Checks the pe data of a file
	    $string1 = "foobar" // String value
	condition:
	    $string1 // If text string is found, then flag
}

In this example, foobar is the string being searched.

Basic Hex Based Rule

Checks if the specific hex value(s) below are found in the file's PE data.

rule example_detection_name { // Name of the detection
	meta:
	    rule_name = "Example Cheat" // name of the cheat
	    type = "Warning" // Warning or Detect
	strings: // Checks the pe data of a file
	    $hex_string = { 48 89 E5 55 48 83 EC 10 } // Hex value
	condition:
	    $hex_string // If hex string is found, then flag
}

In this example, the hex value 48 89 E5 55 48 83 EC 10 is the hex value being searched.

Basic String and Hex Based Rule

rule example_detection_name { // Name of the detection
	meta:
	    rule_name = "Example Cheat" // name of the cheat
	    type = "Detect" // Warning or Detect
	strings: // Checks the pe data of a file
	    $string1 = "foobar" // String value
	    $string2 = { 48 89 E5 55 48 83 EC 10 } // Hex value
	condition:
	    $string1 and $string2 // If both string and hex are found, flag
}

Storm also supports other module rules such as recursive, boolean, tags, classification, ranges, binary data matching, and much more. Your imagination is your limit.

PreviousInformation on Rules NextPublic Reference

Last updated 8 months ago