awesome-yara: A curated list of awesome YARA rules, tools, and people.

They are and can be a bit tricky to use. You can use them in-line to scan mail; or if you want to go hunting in a more traditional sense you’re going to need something like OsQuery, Loki/Spark (Or Spark-Core), various PowerShell modules, or the default Yara scanner to actually do the scanning with and the supplied .yar you’ve got. The second problem is getting the results back to you.

I’ve done this at scale with a few tools – Spark-Core works pretty well; (if you can push a package out to a fleet of machines) you can set it up with a bundled .yas (ie: encrypted yara file), and specify a remote syslog server to fire the results to (or a Splunk instance etc).


Leave a Reply