YARA Rules
YARA rules provide advanced pattern matching capabilities for detecting specific patterns in HTTP requests. These rules are particularly useful for identifying complex attack patterns and suspicious behavior.
Configuration Structure
yara:
- name: test
action: log
rule: |
rule BlockBadHostAndUserAgent {
condition:
http_request_method == "GET" and
http_request_headers_user_agent contains "curl"
}
enabled: true
Configuration Options
Name
- Type: String
- Required: Yes
- Description: Unique identifier for the YARA rule
- Example:
name: "test"
Action
- Type: String
- Required: Yes
- Options:
block,log - Description: Action to take when the rule matches
block: Block the requestlog: Log the request but allow it to proceed- Example:
action: "log"
Rule
- Type: String
- Required: Yes
- Description: YARA rule definition
- Example: See below for detailed examples
Enabled
- Type: Boolean
- Default:
true - Description: Whether the rule is active
- Example:
enabled: true
Supported fields
| Field | Description |
|---|---|
http_request_method |
The HTTP method of the request (GET, POST, PUT, DELETE, etc_) |
http_request_headers |
All HTTP headers in the request |
http_request_body |
The raw body content of the request |
http_request_uri_query |
The query string parameters of the request |
http_request_uri_full |
The complete URI including protocol, host, path, and query |
http_request_uri_scheme |
The protocol scheme (http, https) |
http_request_uri_host |
The hostname from the request |
http_request_uri_port |
The port number from the request |
http_request_uri_path |
The path portion of the URI |
ip_src |
The source IP address of the request |
ip_src_country |
The country of origin based on the source IP |
ip_src_city |
The city of origin based on the source IP |
YARA Rule Syntax
YARA rules follow a specific syntax for pattern matching. Here are some common patterns:
Basic Rule
Header Matching
rule: |
rule HeaderMatch {
condition:
http_request_headers_user_agent contains "bot" and
http_request_headers_content_type == "application/json"
}
Path Matching
rule: |
rule PathMatch {
condition:
http_request_uri_path contains "/admin" or
http_request_uri_path contains "/wp-admin"
}
Complex Conditions
rule: |
rule ComplexMatch {
condition:
(http_request_method == "POST" and
http_request_headers_content_type == "application/json") or
(http_request_method == "GET" and
http_request_uri_path contains "/api/")
}
Best Practices
- Start with logging rules before blocking
- Use descriptive rule names
- Test rules in a staging environment
- Keep rules organized and documented
- Use comments to explain complex rules
Example Configurations
Basic Security Rules
yara:
- name: "detect-bad-bots"
action: log
rule: |
rule DetectBadBots {
condition:
http_request_headers_user_agent contains "bad-bot" or
http_request_headers_user_agent contains "scraper"
}
enabled: true
Advanced Security Rules
yara:
- name: "detect-sql-injection"
action: block
rule: |
rule DetectSQLInjection {
condition:
http_request_uri_query contains "SELECT" or
http_request_uri_query contains "UNION" or
http_request_uri_query contains "DROP"
}
enabled: true
Common Use Cases
- Bot Detection: Identify and block malicious bots
- SQL Injection: Detect SQL injection attempts
- XSS Detection: Identify cross-site scripting attempts
- Path Protection: Monitor access to sensitive paths
- API Protection: Protect API endpoints from abuse