logo mlab Mlab.sh
v1.6.3
Legal Page
Mlab.sh
Tools
Vuln Search
CVE & vulnerability lookup
What is it?
Self-hosted IR platform
Pricing
Plans & pricing
Documentation
Get started in minutes
Announcements
Latest releases & updates
What is it?
DORA-compliant TPRM platform
Pricing
Plans & pricing
Documentation
Deploy in minutes
Announcements
Latest releases & updates
Architect Tools

YARA Rule Builder

Build, preview and export valid YARA rules directly from your browser. No compilation required — everything runs client-side.

Requirements: The YARA Rule Builder is available exclusively to Pro, Team and Enterprise subscribers. You must be logged in with an active subscription. View plans →

This tool is fully client-side. No data is sent to any server — your rules stay in your browser.

1

Rule structure overview

A YARA rule follows a well-defined structure. The builder generates all sections for you:

example.yar 
import "pe"

private rule detect_packer : malware packer {
    meta:
        author = "Alice"
        description = "Detects UPX-packed binaries"

    strings:
        $s1 = "UPX0" ascii
        $s2 = { 55 50 58 21 }

    condition:
        all of them and filesize < 500KB
}
  • import — optional module imports (pe, elf, dotnet, etc.)
  • rule declaration — name, optional tags, optional private / global modifiers
  • meta — descriptive key-value metadata
  • strings — patterns to match (text, hex, or regex)
  • condition — boolean logic that determines a match
2

Rule name, tags & modifiers

Rule name

Must start with a letter or underscore, followed by letters, digits or underscores. Maximum 128 characters. Example: detect_emotet_v2

Tags (optional)

Space-separated identifiers appended after the rule name with a colon. Used to categorize rules. Example: rule my_rule : malware trojan banker { ... }

private modifier

A private rule does not appear in YARA output. It is only used as a building block referenced by other rules.

global modifier

A global rule's condition must be satisfied for every other rule to match. Useful for scoping (e.g., global rule is_pe { condition: pe.is_pe }).

3

Meta section

The meta section holds descriptive information about the rule. Each line follows the format key = "value". Common keys:

  • author — rule author name
  • description — what the rule detects
  • date — creation or last modification date
  • reference — URL or report reference
  • hash — sample hash for validation
  • severity / tlp — classification metadata

Integer and boolean values can be unquoted: severity = 8 or in_the_wild = true.

4

String types

The builder supports the three YARA string types:

Text strings

Quoted ASCII text. Example: $s1 = "malware"

Hex strings

Raw byte patterns. Example: $h1 = { 4D 5A 90 00 }

Regex strings

Regular expressions. Example: $r1 = /https?:\/\/[^\s]+/

5

String modifiers

Modifiers change how strings are matched. Availability depends on the string type:

Flags (text & regex only)

nocase — case-insensitive matching
ascii — match ASCII encoding (default for text strings)
wide — match UTF-16 little-endian encoding
fullword — match only at word boundaries

Helpers (text only)

xor — match XOR-encoded variants. Optional range: xor(0x01-0xff)
base64 — match base64-encoded variants
base64wide — match base64 + wide-encoded variants

Hex strings

Hex strings do not support any modifier. They only accept hex digits, spaces, wildcards (?), alternations (|), jumps ([4-6]), and grouping (( )).

6

Modules

Modules extend YARA with format-aware inspection. Enable modules via checkboxes — the builder generates the corresponding import statements.

pe

Windows PE analysis (sections, imports, exports, resources)

elf

Linux ELF binary analysis

macho

macOS Mach-O binary analysis

dotnet

.NET assembly inspection (classes, methods, GUIDs)

dex

Android DEX file analysis

math

Mathematical functions (entropy, mean, deviation)

hash

Cryptographic hashes (MD5, SHA-1, SHA-256, CRC32)

time

Time-based conditions (useful for time-bombed malware)

console

Debug output during rule execution

string

String manipulation functions

cuckoo

Cuckoo sandbox behavioral signatures

7

Conditions

The condition section determines when a rule matches. The builder offers guided modes and extra condition helpers:

Guided modes

any of them — at least one string matches
all of them — every string matches
N of them — at least N strings match
Custom expression — write your own condition freely

Extra condition: filesize

Constrain matches by file size. Supports <, >, == with KB, MB, or byte units.
Example: filesize < 500KB

Extra condition: entrypoint

Match a string at the binary entry point.
Example: $s1 at entrypoint

Extra condition: at offset / in range

Match a string at a specific offset or within a byte range.
Examples: $s1 at 0 · $s1 in (0..1024)

Extra condition: string occurrence count

Count how many times a string appears using the # operator.
Example: #s1 > 3 (string $s1 appears more than 3 times)

Extra conditions are appended with and to the main condition. For advanced logic, use the Custom expression mode to write full boolean expressions with and, or, not, parentheses, for...of loops, string offsets (@s1), and more.

8

Export & usage

Once your rule is ready, you can:

  • Copy — copy the rule to your clipboard (with visual confirmation)
  • Download — save as a .yar file

The generated rule is valid YARA syntax and can be used directly with yara CLI, YARA-X, or any YARA-compatible scanner.

Tips & best practices

  • Use descriptive rule names: apt28_dropper_v2 is better than rule1
  • Always add author, description and date in meta
  • Combine wide and ascii to catch both encodings
  • Use filesize constraints to avoid false positives on large files
  • Use private rules for reusable building blocks
  • Test your rules against known samples before deploying to production
  • Use tags to organize rules by threat family, TLP, or campaign