Ora

How Do I Install YARA?

Published in YARA Installation 5 mins read

Installing YARA, a powerful tool for identifying and classifying malware samples, can be achieved through several methods, depending on your operating system and technical preference. The most straightforward approach for most users involves utilizing the pre-built binaries, while advanced users might opt for compiling from source or using package managers.

Quick Installation Methods

For most users, the quickest and easiest way to get YARA up and running is by using pre-compiled binaries or system-specific package managers.

1. Using Pre-built Binaries (Recommended for Most Users)

The simplest way to install the YARA command-line tool, which is often referred to as YARA-X in its modern form, is by downloading the pre-built binaries. These are provided with every release and are available for various operating systems.

Steps:

  1. Download: Visit the official YARA releases page on GitHub.
  2. Select Your OS: Choose the appropriate binary package for your operating system (Linux, macOS, or Windows). Look for files typically named yara-X.Y.Z-OS-ARCHITECTURE.zip or similar.
  3. Extract: Unzip the downloaded archive to your preferred location. A common practice is to create a directory like C:\YARA\ on Windows or /opt/yara/ on Linux/macOS.
  4. Add to PATH (Optional but Recommended): To run YARA from any directory, add the directory where you extracted the binaries to your system's PATH environment variable.
    • Windows:
      1. Search for "Environment Variables" in the Start Menu.
      2. Click "Edit the system environment variables" and then "Environment Variables...".
      3. Under "System variables," find and select "Path," then click "Edit...".
      4. Click "New" and add the full path to your YARA directory (e.g., C:\YARA\bin).
      5. Click "OK" on all windows.
    • Linux/macOS:
      1. Open your ~/.bashrc, ~/.zshrc, or ~/.profile file.
      2. Add the line: export PATH="/path/to/yara/bin:$PATH" (replace /path/to/yara/bin with your actual directory).
      3. Save the file and run source ~/.bashrc (or your respective file) to apply changes immediately.

2. Via Package Managers

Many operating systems offer convenient package managers that can install YARA with a single command.

For Linux Distributions

YARA is often available in the official repositories of popular Linux distributions.

  • Debian/Ubuntu:
    sudo apt update
sudo apt install yara
  • CentOS/RHEL/Fedora:
    sudo yum install epel-release # If YARA is in EPEL
sudo yum install yara
# Or for newer Fedora/RHEL:
sudo dnf install yara
  • Arch Linux:
    sudo pacman -S yara

For macOS (Homebrew)

Homebrew is a popular package manager for macOS that simplifies software installation.

  1. Install Homebrew (if not already installed):
    /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
  2. Install YARA:
    brew install yara

Installing from Source Code (Advanced Users)

Compiling YARA from its source code gives you the latest features and greater control over the installation, though it requires some development tools.

Prerequisites

Before compiling, ensure you have the necessary development tools installed:

  • A C compiler: GCC (GNU Compiler Collection) or Clang.
  • Make: A build automation tool.
  • Autotools: autoconf, automake, libtool.
  • Optional Libraries (for extended functionality):
    • libssl-dev (OpenSSL development files)
    • libjansson-dev (Jansson development files for JSON support)
    • libmagic-dev (File type identification support)

Steps for Linux and macOS

  1. Clone the Repository:
    git clone https://github.com/VirusTotal/yara.git
cd yara
  2. Prepare the Build System:
    ./bootstrap
  3. Configure: This step checks for dependencies and prepares the build. You can specify installation paths or enable/disable features.
    ./configure
# Example with prefix and optional modules:
# ./configure --prefix=/usr/local --enable-magic --enable-hash --enable-cuckoo
  4. Compile:
    make
  5. Install:
    sudo make install
  6. Update Shared Libraries (Linux only):
    sudo ldconfig

Steps for Windows (via WSL or Cygwin)

For Windows, compiling from source is typically done within a Unix-like environment such as Windows Subsystem for Linux (WSL) or Cygwin, following the Linux steps above.

  • Windows Subsystem for Linux (WSL): Install a Linux distribution (e.g., Ubuntu) via the Microsoft Store, then follow the Linux compilation steps within your WSL terminal.
  • Cygwin: Install Cygwin with gcc, make, autoconf, automake, libtool, and other development packages, then follow the Linux compilation steps.

Installing YARA-Python (for Python Developers)

If you plan to use YARA programmatically within Python scripts, you'll need the yara-python library.

  1. Install via pip:

    pip install yara-python
    • Note: Ensure you have a C compiler installed if yara-python needs to compile native extensions during installation.

  2. Basic Usage Example in Python:

    import yara

# Compile a YARA rule
rules = yara.compile(source='rule my_rule { strings: $a = "test_string" condition: $a }')

# Scan data
matches = rules.match(data='This is a test_string in some data.')

if matches:
    print("Matches found:", matches)
else:
    print("No matches.")

Verifying Your YARA Installation

After installation, it's crucial to verify that YARA is correctly installed and accessible.

  1. Open a New Terminal/Command Prompt: This ensures any PATH changes are loaded.
  2. Check Version:
    yara --version

    You should see the installed YARA version number.

  3. Check Help:
    yara -h

    This should display the YARA help message, indicating the tool is recognized.

Practical Tips for YARA Usage

Once YARA is installed, you can start writing and applying rules.

  • Create a Rule File: Save your YARA rules in a text file (e.g., my_rules.yar).

    rule ExampleRule
{
    strings:
        $a = "malicious_string" nocase
        $b = { 01 02 03 04 05 }

    condition:
        $a or $b
}

  • Scan a File:

    yara my_rules.yar /path/to/target_file.exe

  • Scan a Directory Recursively:

    yara -r my_rules.yar /path/to/target_directory

Installation Method at a Glance

Method Description Ideal User
Pre-built Binaries Download and extract ready-to-use executables. Most users, quick setup
Package Manager Use apt, brew, yum, etc., for one-command installation. Users on Linux/macOS, easy updates
Source Code Compile from GitHub repository. Requires development tools. Advanced users, specific needs, latest features
YARA-Python Install Python bindings via pip. Python developers, scripting

By following these methods, you can effectively install YARA and begin leveraging its capabilities for threat detection and research.

← Previous Article
How do you get an elderly downstairs?
Next Article →
Why is Precision Important in the Installation Based on Elevation Drawings?