EpochZero Learn
EpochZero LearnMulti-Domain Tech Learning Hub
Courses
LeaderboardAbout
Dashboard
EpochZero
EpochZero Learn
Multi-Domain Tech Learning Hub

Structured learning for Reverse Engineering, Cloud Security, Cryptography, and Web Development. Articles, videos, tests, and peer discussion.

Learn

  • Learning Path
  • All Articles
  • Video Lessons
  • Podcast
  • eBooks & PDFs
  • Question Banks
  • Cheatsheets
  • MCQ Banks

Tests & Forum

  • All Tests
  • REMA Tests
  • Cloud Tests
  • Forum
  • REMA Forum
  • Cloud Forum
  • Crypto Forum
  • Web Dev Forum

Campus

  • REMA Club
  • Full Stack Dev Club
  • Extension Activity
  • Events
  • CTF Competitions
  • Workshops
  • Industrial Visits

Platform

  • Dashboard
  • Leaderboard
  • About
  • Verify Certificate

© 2026 EpochZero Learn. Educational content for learning purposes.

Course Instructor: Ashish Revar

All articles
Educationyarasnortsuricata

Network Signatures and YARA Rules

Writing YARA rules for endpoint detection and Snort/Suricata rules for network detection — rule structure, string modifiers, condition logic, and how to test and validate both rule types against real samples.

Ashish Revar12 May 202616 min read2 views

Sign in to mark this article as read and track your progress.

Related to this topic

Continue learning

Listen

Spotting Forensic Gold in Malware Strings

Discover how malware analysts extract hidden intelligence from embedded strings — URLs, registry paths, API call sequences, and C2 artefacts that reveal attacker behaviour and seed your IOC list.

Reference material

eBook
REMA eBook 2026
v1.0
Open resource
Cheatsheet
REMA Cheatsheet 2026
v1.0
Open resource
MCQ Bank
REMA MCQ Bank 2026
v1.0
Open resource
Question Bank
REMA Question Bank 2026
v1.0
Open resource

External references

YARA Documentation — Official

Official YARA documentation covering all string types, modifiers, condition operators, and modules.

reference
Neo23x0 Signature Base — Community YARA Rules

High-quality community YARA rules by Florian Roth. Study the rule structure and condition patterns used by experienced analysts.

reference
Suricata Rule Writing Guide

Official Suricata rule documentation covering all options, flow keywords, and content modifiers.

reference
More articlesTest your knowledge

From Analysis to Defence

After analysing a malware sample, the analyst produces defensive signatures that security tools can deploy immediately. Two signature types cover the two detection domains:

  • YARA rules — match file content on disk or in memory at the endpoint
  • Snort/Suricata rules — match network traffic at the sensor

Together they provide defence in depth: YARA stops the file if it reaches a host, Snort/Suricata blocks the C2 communication at the network perimeter.

YARA Rules

YARA is a pattern-matching tool for files and memory. A YARA rule has three sections: metadata, strings, and condition.

Rule structure

rule Detect_Dropper_C2 {
    meta:
        description = "Detects dropper with hardcoded C2"
        author      = "Ashish Revar, SITAICS"
        date        = "2026-05-12"
        hash        = "abc123..."

    strings:
        $mz   = { 4D 5A }                           // PE magic bytes
        $cmd  = "cmd.exe /c" ascii nocase
        $url  = "http://evil.com/gate.php" wide ascii
        $ua   = "Mozilla/5.0 (compatible)" ascii
        $mutex = "Global\\MicrosoftUpdateService3"

    condition:
        $mz at 0 and 2 of ($cmd, $url, $ua, $mutex)
}

String types and modifiers

TypeSyntaxWhat It Matches
Plain string$s = "cmd.exe"Exact byte sequence
ascii$s = "cmd.exe" asciiASCII encoding (default)
wide$s = "cmd.exe" wideUTF-16LE encoding (Windows Unicode)
nocase$s = "cmd.exe" nocaseCase-insensitive
fullword$s = "cmd" fullwordOnly standalone word — not "cmdline"
Hex bytes$s = { 4D 5A ?? 00 }Byte pattern with ?? wildcards
Hex with jumps$s = { 4D 5A [2-4] 50 45 }Variable-length gap between bytes
Regex$s = /https?:\/\/[0-9.]{7,15}\/gate/ nocaseRegular expression

Condition logic

condition:
    $mz at 0                     // PE file (MZ at offset 0)
    and filesize < 500KB          // reasonable size
    and 2 of ($cmd, $url, $ua)   // at least 2 of 3 IOC strings
    and not $mutex               // exclude known false positive

Operators: and, or, not, all of, any of, N of, at, in

Writing effective YARA rules

Good rule: specific enough to avoid false positives, broad enough to catch variants

// Too specific — fails if one byte changes
$url = "http://185.220.101.47/gate.php"

// Better — matches the gate endpoint pattern across IP variants
$url = /https?:\/\/[0-9.]{7,15}\/gate\.php/

// Too broad — matches almost any Windows binary
$cmd = "cmd.exe"

// Better — matches the specific abuse pattern
$cmd = "cmd.exe /c vssadmin delete shadows" nocase

Testing YARA rules

# Test against a single file
yara rule.yar suspicious.exe

# Test recursively against a directory
yara -r rule.yar malware_samples/

# Verify no false positives against clean files
yara rule.yar C:\Windows\System32\notepad.exe
# Should produce NO output

# Scan memory of a running process
yara -p 3412 rule.yar

Snort / Suricata Rules

Snort and Suricata inspect network traffic in real time, alerting when C2 patterns cross the sensor.

Rule structure

action proto src_ip src_port direction dst_ip dst_port (options)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (
    msg:"Malware C2 beacon — custom User-Agent";
    flow:established,to_server;
    content:"User-Agent: Mozilla/5.0 (compatible)";
    content:"POST /gate.php";
    sid:1000042;
    rev:1;
)

Key options

OptionPurposeExample
flowConnection direction and stateflow:established,to_server
contentExact byte matchcontent:"POST /gate.php"
pcrePerl-compatible regexpcre:"/gate\.php\?id=[A-F0-9]{16}/i"
nocaseCase-insensitive matchcontent:"user-agent"; nocase
distanceNext content N bytes after previousdistance:0
withinNext content within N bytes of previouswithin:50
dsizeMatch on packet data sizedsize:>100
thresholdAlert rate limitingthreshold:type limit, track by_src, count 1, seconds 60

Example: DGA domain detection

alert udp $HOME_NET any -> any 53 (
    msg:"Possible DGA domain query — high entropy hostname";
    content:"|01 00 00 01 00 00 00 00 00 00|";
    pcre:"/[a-z]{12,20}\.(com|net|org|info)\x00/i";
    sid:1000043;
    rev:1;
)

flow:established,to_server explained

  • established — TCP three-way handshake completed
  • to_server — traffic flowing from client to server (outbound from $HOME_NET)

This combination matches only genuine C2 POST requests — not SYN packets, not server responses.

Defence in Depth: Combining Both

Network perimeter:
  Snort/Suricata rule → blocks C2 communication
  → Catches malware that reached the host but fires its beacon

Endpoint:
  YARA rule → detects the file on disk or in memory
  → Catches malware before or during execution

Together:
  If YARA misses a new variant → Snort catches the beacon
  If Snort misses encrypted C2 → YARA catches the file

YARA Rule Sources

SourceURLContent
YARA-Rules projectgithub.com/Yara-Rules/rulesCommunity rules for major families
Mandiant/FireEyegithub.com/mandiant/red_team_tool_countermeasuresRules for APT tools
Neo23x0 (Florian Roth)github.com/Neo23x0/signature-baseHigh-quality community rules
CAPE outputLocal CAPE instanceAuto-generated rules from extracted configs

Always test community rules against a clean file corpus before deployment — false positive rates vary significantly.