ClawHub

S³ YARA Rule Authoring

v1.0.0

Write high-quality YARA-X detection rules for malware identification and threat hunting. Covers naming conventions, string selection, performance optimizatio...

0· 148·0 current·0 all-time
bySolomon Neas@solomonneas

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for solomonneas/s3-yara-authoring.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "S³ YARA Rule Authoring" (solomonneas/s3-yara-authoring) from ClawHub.
Skill page: https://clawhub.ai/solomonneas/s3-yara-authoring
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install s3-yara-authoring

ClawHub CLI

Package manager switcher

npx clawhub@latest install s3-yara-authoring
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name, description, and runtime instructions match: this is a YARA-X rule authoring and review guide. It does not request unrelated binaries, credentials, or config paths. Mentions of installing yara-x via brew/cargo are documentation-only and consistent with the stated purpose.
Instruction Scope
SKILL.md instructs the user/agent to validate and scan files (yr check, yr scan, yr fmt) and to test rules against 'goodware' corpora and sample files. This is expected for a rule-authoring skill but it implies the agent will read and operate on local files if given — ensure the agent is only pointed at appropriate test/analysis datasets and not sensitive production data.
Install Mechanism
No install spec in the registry (instruction-only). The documentation references standard install methods (brew/cargo) for yara-x — these are normal and do not introduce hidden downloads in the skill itself.
Credentials
The skill requests no environment variables, credentials, or config paths. The behavior described (file scanning and rule formatting) does not require secrets, so the declared surface is proportionate.
Persistence & Privilege
Skill is not 'always' enabled and does not request persistent presence or attempt to modify other skills or system settings. Autonomous invocation is allowed by platform default but does not combine with other concerning factors here.
Assessment
This is a coherent, instruction-only YARA-X authoring guide. Before using it: (1) only run yr scan/check/format on test or consented samples — avoid pointing it at sensitive production files; (2) install yara-x from official sources (brew/cargo crates.io) if needed; (3) review any auto-generated rules before deploying to detection infrastructure to avoid false positives; (4) if you allow an agent to run these commands autonomously, restrict its filesystem scope to analysis directories so it cannot access unrelated data.

Like a lobster shell, security has layers — review code before you run it.

detectionvk97313gnt4qyvtrke4ytg6sa7s8360hjlatestvk97313gnt4qyvtrke4ytg6sa7s8360hjmalwarevk97313gnt4qyvtrke4ytg6sa7s8360hjsignaturesvk97313gnt4qyvtrke4ytg6sa7s8360hjthreat-huntingvk97313gnt4qyvtrke4ytg6sa7s8360hjyaravk97313gnt4qyvtrke4ytg6sa7s8360hj
148downloads
0stars
1versions
Updated 1mo ago
v1.0.0
MIT-0
Solomon Neas@solomonneas
detectionlatestmalwaresignaturesthreat-huntingyara
Download

YARA-X Rule Authoring

Write detection rules that catch malware without drowning in false positives. Based on Trail of Bits methodology.

Core Principles

  1. Strings must generate good atoms — YARA extracts 4-byte subsequences for fast matching. Strings with repeated bytes, common sequences, or under 4 bytes force slow bytecode scans.
  2. Target specific families, not categories — "Detects ransomware" is useless. "Detects LockBit 3.0 config extraction routine" is useful.
  3. Test against goodware — Validate against clean file sets before deployment.
  4. Short-circuit with cheap checks firstfilesize < 10MB and uint16(0) == 0x5A4D before expensive string searches.
  5. Metadata is documentation — Future you needs to know what this catches and why.

YARA-X Basics

YARA-X is the Rust successor to legacy YARA: 5-10x faster, better errors, built-in formatter, stricter validation, new modules (crx, dex).

Install: brew install yara-x / cargo install yara-x Commands: yr scan, yr check, yr fmt, yr dump

Rule Template

import "pe"

rule FamilyName_Variant_Technique : tag1 tag2 {
    meta:
        author      = "Solomon Neas"
        date        = "2026-02-14"
        description = "Detects [specific behavior] in [malware family]"
        reference   = "https://..."
        tlp         = "TLP:WHITE"
        hash        = ""
        score       = 75  // 0-100 confidence

    strings:
        // Unique strings from the sample
        $api1 = "VirtualAllocEx" ascii
        $api2 = "WriteProcessMemory" ascii
        $str1 = { 48 8B 05 ?? ?? ?? ?? 48 85 C0 }  // hex with wildcards
        $pdb  = /[A-Z]:\\.*\\Release\\.*\.pdb/ nocase

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and
        (2 of ($api*) and $str1) or
        $pdb
}

Naming Convention

Family_Variant_Technique — examples:

  • Emotet_Loader_DocumentMacro
  • CobaltStrike_Beacon_x64
  • Generic_Cryptominer_XMRig

String Selection

Good strings (unique, specific):

  • Mutex names, PDB paths, C2 URLs
  • Unique byte sequences from disassembly
  • Custom encryption constants
  • Uncommon API call sequences

Bad strings (too common, high FP):

  • http://, https://, common API names alone
  • Single common words, short strings (<4 bytes)
  • Strings found in Windows system files

Condition Patterns

// Performance-ordered (cheap → expensive)
condition:
    uint16(0) == 0x5A4D and     // Magic bytes (instant)
    filesize < 10MB and          // Size filter (instant)
    2 of ($unique*) and          // String matching (fast)
    pe.imports("kernel32.dll")   // Module check (slower)

Common magic bytes:

PlatformCheck
PE (Windows)uint16(0) == 0x5A4D
ELF (Linux)uint32(0) == 0x464C457F
Mach-O 64-bituint32(0) == 0xFEEDFACF
PDFuint32(0) == 0x25504446
Office/ZIPuint32(0) == 0x504B0304

Performance Rules

  1. Put filesize and magic byte checks FIRST in condition
  2. Never use unbounded regex like /.*/
  3. Avoid for all with complex conditions on large files
  4. Use ascii or wide, not both unless needed
  5. Hex strings with specific bytes > wildcards > regex
  6. Use at for fixed offsets instead of scanning entire file

Testing

# Validate syntax
yr check rules/

# Scan a sample
yr scan rules/my_rule.yar suspicious_file.exe

# Scan directory
yr scan rules/ samples/ --threads 4

# Format rules consistently
yr fmt rules/my_rule.yar

False Positive Reduction

  • Add filesize constraints (malware has typical size ranges)
  • Require multiple string matches (2 of ($str*) not any of)
  • Exclude known good paths/publishers via not conditions
  • Score-based approach: assign confidence scores in metadata, triage by threshold
  • Test against goodware corpus before deployment

Reference

Full methodology, module docs (pe, elf, crx, dex), and migration guide from legacy YARA: https://github.com/trailofbits/skills/tree/main/plugins/yara-authoring

Comments

Loading comments...