Detect IOCs with YARA on Ubuntu and Windows
YARA is one of the most versatile and powerful tools in the arsenal of security engineers and malware analysts. Whether you're defending Windows fleets or Linux servers, mastering YARA means being able to rapidly scan, classify, and hunt down malicious files and patterns based on known indicators of compromise (IOCs). This guide walks you through installing YARA on both Ubuntu and Windows, then dives into how to use it effectively for detecting hashes, IPs, domains, hostnames, and file patterns—engineered specifically with practical use cases in mind.
Installing YARA
On Ubuntu (Debian-based distros)
Make sure Ubuntu is up to date:
sudo apt update
Install Yara:
sudo apt install yara -y
Verify it installed correctly:
yara --version
On Windows
Option 1: Chocolatey (Simple and Clean)
If you use Winget, you can install YARA with:
winget install yara
Option 2: Manual Installation
- Download precompiled binaries from the official YARA GitHub.
- Extract the
.zipand placeyara.exesomewhere in your system's PATH.
To confirm it's working:
yara.exe --version
Writing and Running YARA Rules
A YARA rule is structured to define a name, some metadata (optional), a set of strings to match, and a condition. Once written, the rule can be used to scan files, memory dumps, or directories.
Let’s explore specific examples for real-world detection scenarios.
Example 1: Detect Known File Hashes
If you have known malicious hash values (MD5, SHA1, SHA256), YARA can use its built-in hash module to calculate and compare them.
import "hash"
rule Detect_Malicious_File_Hashes
{
condition:
hash.md5(0, filesize) == "f53fa44c7b591a2be105344790543369" or
hash.sha1(0, filesize) == "363068731e87bcee19ad5cb802e14f9248465d31" or
hash.sha256(0, filesize) == "55f3725ebe01ea19ca14ab14d747a6975f9a6064ca71345219a14c47c18c88be"
}
Command to scan a file or directory:
bashCopyEdityara detect_hashes.yar /path/to/suspicious_file
On Windows:
yara.exe detect_hashes.yar C:\Samples\file.exe
Example 2: Detect Domains and Hostnames
This rule looks for hardcoded domain strings in files or logs.
rule Detect_Suspicious_Domains
{
strings:
$d1 = "maliciousdomain.com"
$d2 = "evilcorp.org"
$onion = /[a-z0-9\-\.]+\.onion/
condition:
any of them
}
You can scan logs, memory dumps, or extracted strings:
yara detect_domains.yar /var/log/auth.log
Example 3: Detect IP Addresses
Match specific or general IP addresses:
rule Detect_Known_IP_Addresses
{
strings:
$ip1 = "181.174.164.47"
$ip2 = "109.120.179.170"
$generic = /\b(?:\d{1,3}\.){3}\d{1,3}\b/
condition:
any of them
}
Use this rule on any extracted memory, configuration files, or logs.
Example 4: Detect Malware File Signatures
Here’s a rule to match specific strings or byte sequences:
rule Detect_Malware_Signatures
{
strings:
$a1 = "This program cannot be run in DOS mode"
$a2 = { 4D 5A 90 00 } // MZ header
condition:
any of them
}
Recursive directory scan:
yara -r malware_signatures.yar /opt/suspicious
Windows:
yara.exe -r malware_signatures.yar C:\Downloads\Tools
Additional YARA Tips for Engineers
- Use
--print-stringsto show matched string content. - Use
-rto scan directories recursively. - Combine rules into one
.yarfile for efficiency. - Pipe outputs into text files for post-analysis.
- Integrate YARA into incident response or CI pipelines for ongoing threat detection.
Conclusion
While mainstream cybersecurity platforms often include built-in detection capabilities for indicators of compromise, YARA stands out as a lightweight and flexible tool that belongs in every engineer's toolkit. It doesn’t require complex infrastructure or heavy integration—just clear rules and direct execution. Whether you're validating file hashes, scanning logs for suspicious domains, or performing a quick sweep of known IPs, YARA enables fast, focused IOC detection without unnecessary overhead. It’s a reliable go-to for incident responders, threat hunters, and engineers who want control, transparency, and precision in their defensive operations.