Yara是一个规则匹配的工具,由于其可以进行文本、二进制文件的匹配,被用在基于特征值的恶意代码检测中,其官方网站在这里。在国内还没见到有太多人使用,在这里先简单介绍一下相关的配置,并列出了其需要的相关工具。


1. gcc
gcc has not been installed on CentOS, you should issue the command:
   $ sudo yum install gcc
to install it.

2. g++
g++ has not been installed on CentOS neither, you should issue the command:
   $ sudo yum install gcc-c++ autoconf automake

2. Yara
2.1 PCRE
   Before install the yara, make sure the PCRE has been install in your system. Or, you need download the package of PCRE in

   ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-8.33.tar.gz

   and install it:
       $ ./configure
       $ make
       $ sudo make install

   or install pcre pcre-devel with yum

       $ sudo apt-get install libpcre3 libpcre3-dev



2.2 Yara
   After installing PCRE, you can install yara by:
   $ ./configure
   $ make
   $ sudo make install

   Run yara to check whether it work or not.

   Problems you may come across:
   1)
   After I install the yara, it did not work initially because of not finding libpcre.so.1, when I run
       $ ldd yara
   it seemed that yara cannot locate the dynamic library libpcre.so.1, but I find the library is located in /usr/local/lib. Then, what you need to do is add the path of the library into the searching directory of dynamic library. You can just the path into the file by two ways:
       i)
           $ vi /etc/ld.so.conf
       and then, run
           $ sudo ldconfig
       to make it work.
       ii)
           set the evironment variable LD_LIBRARY_PATH
           export LD_LIBRARY_PATH=”LD_LIBRARY_PATH:/usr/local/lib”

       To see the following page for more options:
       http://blog.globstudio.com/373.html

2.3 Yara python
   Run
       $ python setup.py install
       $ python steup.py test
       $ yara-ctypes -h
   or PyPi
       $ pip install yara
       $ yara-ctypes -h