0PricingLogin
Cyber Security Academy · Lesson

YARA Rule Syntax

Strings, conditions and metadata.

The Three Sections

A YARA rule has a name and up to three sections: meta, strings, and condition. The condition is the only mandatory section, but real rules use all three.

rule Example_Malware
{
  meta:
    author = "analyst"
    description = "Detects Example family"
  strings:
    $a = "EvilConfig"
    $b = { 6A 40 68 00 30 00 00 }
  condition:
    $a and $b
}

The meta Section

meta holds descriptive metadata that does not affect matching but is vital for triage and maintenance.

  • author, date, description
  • reference — report or advisory link
  • hash — sample(s) the rule was built from
  • tlp — sharing classification

Values are strings, integers, or booleans. Treat meta as documentation: the next responder relies on it.

All lessons in this course

  1. What YARA Is For
  2. YARA Rule Syntax
  3. Hunting with Strings and Hex
  4. Scaling and Automating Scans
← Back to Cyber Security Academy