Your YARA rule should follow this structure. All sections are optional except the rule name and condition.
rule Example_Rule : FILE
{
meta:
description = "Example YARA rule demonstrating supported features"
author = "Your Name"
date = "2024-01-01"
reference = "https://example.com"
strings:
// ASCII string with modifiers
$ascii_string = "example text" ascii nocase
// Wide string (UTF-16LE)
$wide_string = "wide text" wide
// Hex string with wildcards
$hex_string = { 48 65 6C 6C 6F ?? 57 6F 72 6C 64 }
// Hex string with byte range
$hex_range = { 41 42 [2-5] 43 44 }
// Regex pattern
$regex_string = /example\d+pattern/ ascii
// Fullword modifier
$fullword_string = "fullword" ascii fullword
// Base64 encoded string
$base64_string = "base64text" base64
// Combined modifiers
$combined_string = "text" ascii wide nocase
condition:
// Match at least 3 of the strings
3 of them
// Or use specific conditions:
// all of ($ascii_string, $hex_string)
// any of ($wide_string*)
// $regex_string and filesize < 100KB
}