Love the video and a great fan of your work! Maybe it's a stupid question, but I don't understand the importance of the "wide" modifier. Why do we want to search for 2-bytes ASCII strings? For an IPv4 address, wouldn't 1 byte ASCII be enough? or am I understanding something wrong?
I would assume it is a result of the dotted decimal notation (not just the 8-bit value for each octet, but the literal dots/periods as well), but to be honest I am not certain. This is the standard convention I've always seen used.
Someone told me that ""Yara rules can also be used to convert a big data set in the form of clusters in machine learning " and it has a different use at different platforms. Is it true?
Appreciate the feedback -- I'm not an RE, but I will consider any other content of this type that I could share that might be of value to the community.
Some AV products and endpoint security solutions (including application whitelisting products like Carbon Black) can use YARA rules as part of their scanning engines. However, YARA is an independent tool and provides a simple and efficient way of writing your own rules. It is very useful for malware research, or for rolling your own search logic. So they are related, but one is not better than the other.
Yara is open source, and facilitates the sharing of signatures as opposed to commercial virus signatures. It also has applications for categorizing similar malware by family based on code overlap and can be used to search services like VirusTotal for related samples.
![Seungmin "그렇게, 천천히, 우리(As we are)" | [Stray Kids : SKZ-PLAYER]](http://i.ytimg.com/vi/kAzmhLHePqU/mqdefault.jpg)
ok what about ports ? can i check which process or library tries to use a port with yara rule?
Yes - check the documentation here: yara.readthedocs.io/_/downloads/en/stable/pdf/. Look at page 52.
Great intro vid to yara.
Love the video and a great fan of your work! Maybe it's a stupid question, but I don't understand the importance of the "wide" modifier. Why do we want to search for 2-bytes ASCII strings? For an IPv4 address, wouldn't 1 byte ASCII be enough? or am I understanding something wrong?
I would assume it is a result of the dotted decimal notation (not just the 8-bit value for each octet, but the literal dots/periods as well), but to be honest I am not certain. This is the standard convention I've always seen used.
I want to make Yara rules filter for domain typosquatting and idn homograph attack ...how 2 do ..if u have suggestions PL tell me
Someone told me that ""Yara rules can also be used to convert a big data set in the form of clusters in machine learning " and it has a different use at different platforms. Is it true?
Please make more videos about malware analysis
Appreciate the feedback -- I'm not an RE, but I will consider any other content of this type that I could share that might be of value to the community.
@@13Cubed
Can't wait to see your next awesome lectures
Well Explained, thank you very much of your effort, yara is used in IDS system ? right ?
Thanks, and yes, many IDS/IPS's support YARA rules.
Thank you for YARA video!!!!! May i hope RE on malware video from you?
Do virusscanners use the same technique? Is yara better?
Some AV products and endpoint security solutions (including application whitelisting products like Carbon Black) can use YARA rules as part of their scanning engines. However, YARA is an independent tool and provides a simple and efficient way of writing your own rules. It is very useful for malware research, or for rolling your own search logic. So they are related, but one is not better than the other.
Yara is open source, and facilitates the sharing of signatures as opposed to commercial virus signatures. It also has applications for categorizing similar malware by family based on code overlap and can be used to search services like VirusTotal for related samples.
Yaraないか