YARA Rules

Built-in detection rule library

vibeware.yar

Detects known vibeware signatures and packed PE patterns. Targets strings, byte sequences, and import hash combinations commonly observed in LLM-assisted dropper samples.

rule packed_pe_vibeware {
  meta:
    description = "Detects packed PE with vibeware characteristics"
    severity = "high"
  strings:
    $mz = { 4D 5A }
    $upx0 = "UPX0" ascii
    $upx1 = "UPX1" ascii
    $vibe_str = "vibe_payload" ascii nocase
  condition:
    $mz at 0 and
    filesize < 5MB and
    ($upx0 or $upx1 or $vibe_str)
}

entropy.yar

Flags high-entropy sections indicative of packing, encryption, or embedded shellcode. Uses section-level entropy calculations to surface obfuscated payloads that evade static signature matching.

rule high_entropy_section {
  meta:
    description = "PE section with suspiciously high entropy"
    severity = "medium"
  condition:
    uint16(0) == 0x5A4D and
    for any section in pe.sections : (
      math.entropy(section.raw_data_offset,
                   section.raw_data_size) > 7.2
    )
}

Custom Rules

You can extend the built-in rule library by mounting your own .yar files into the container at /app/rules/custom/. All files in that directory are compiled at startup and applied during the first pipeline stage.

Rules can also be synced dynamically via the YARA Rule Sync integration, which exposes a hot-reload endpoint that recompiles the rule set without restarting the service.

Community-contributed rules are reviewed and merged periodically. To submit a rule, open a pull request or visit the Community page.