Execute a YARA search
Learn how to write a YARA rule, test it, run it across live telemetry, and execute retrohunts against historical data.
Validin provides an environment for developing, testing, and executing YARA rules across global web infrastructure and linking those rules to threat-hunting Projects.
Analysts can scan parsed HTTP response bodies for phishing kits, injected JavaScript, credential harvesters, and other malicious web content by writing a rule, validating it, and executing it at scale.
For details on YARA syntax and conventions, read the official specification.
YARA compatibilityValidin offers full support for YARA-X. Functionality is currently in beta and is limited to HTTP responses. Rule behaviour and the UI may change as improvements are released.
Access the Validin YARA Playground
To begin writing a rule:
- Open a Project.
- Select the YARA Rules tab.
- Select Add Rule to open the YARA Playground.
The interface provides a Rule Editor, a Test Document panel, and supporting validation tools.
Write a YARA rule
To define the conditions you want to search for, enter a rule into the editor.
rule Suspicious_JS_Injection {
meta:
description = "Detects suspicious JavaScript injection markers"
strings:
$s1 = "<script>"
$s2 = "eval("
condition:
any of them
}
Getting startedBegin with simple conditions to ensure you can verify match precision during testing.
Test the rule
Before running a global search, validate the rule locally to allow rapid refinement prior to executing the full search:
- Edit or replace the Test Document panel content to simulate HTML or script content.
- Select Run test.
- Review matches under Test Matches tab below.
- Check the Problems tab to identify syntax errors or rule issues.
Execute the search
To run the rule against recently observed HTTP responses:
- Select Save.
- Return to the YARA Rules tab in the Project.
- Open the rule.
- Select View or the rule’s run action to execute it.
Validin evaluates the rule against live telemetry and displays results in the All Matches tab.
Interpreting match results
To understand each match, review the fields provided in the results table:
| Field | Description |
|---|---|
| Host/IP | The host or resolved IP address where the match occurred. |
| Port | Destination port for the HTTP request. |
| Response/Path | The requested path and protocol response. |
| Title | The page title extracted from the HTTP response. |
| Bytes Received | Size of the returned content. |
| First Seen | Timestamp when the infrastructure was first observed. |
| Last Seen | Most recent observation of the matched resource. |
Selecting a result opens the full HTTP event, including HTML content, certificates, response banners, JARM fingerprints, and additional metadata.
Updated about 1 month ago