Test yara rules

README.md

YARA Rules Tests

We have two folders called:

• yararules: here we put our custom yara rules
• yararules.test: here we put the test cases for the yararules custom yaras

For each .yar file inside the yararules folder, we should create a folder with the same name as the yara file inside the yararules.test/testcases folder.

• If the test case file starts with ok-* it means that the file should not match the yara file.
• If the test case file starts with vuln-* it means that the file should be known vulnerable by the yara rule.

Run tests

• Run prerequesties.ps1 to install YARA binaries (yara64 and yarac64) in case you haven't them installed.
• Run run-tests.ps1 to run all the tests.

Example

• yararules/my-rule.yar
• yararules.test/testcases/my-rule.yar/ok-test.jpg
• yararules.test/testcases/my-rule.yar/vuln-test-pdf.pdf

prerequesties.ps1

winget install -s winget VirusTotal.YARA

yara-rule-tester.ps1

param(
    [string]$yaraPath = "yara64.exe",
    [string]$rulesDir = "../yararules",
    [string]$testCasesDir = "testcases"
)

$totalTests = 0
$passedTests = 0
$failedTests = 0

$yaraFiles = Get-ChildItem -Path $rulesDir -Filter "*.yar" -File

foreach ($yaraFile in $yaraFiles) {
    $testCaseSubDir = Join-Path $testCasesDir $yaraFile.Name
    Write-Host "`nTesting rule: $($yaraFile.Name)"
    
    if (-not (Test-Path $testCaseSubDir)) {
        Write-Host "  No test cases found in $testCaseSubDir" -ForegroundColor Yellow
        continue
    }
    
    $testFiles = Get-ChildItem -Path $testCaseSubDir -File
    
    foreach ($testFile in $testFiles) {
        $totalTests++
        $expectedResult = $testFile.Name.StartsWith("ok-") ? "clean" : "vuln"
        Write-Host "  Testing file: $($testFile.Name) (expect: $expectedResult)" -NoNewline
        
        try {
            $output = & $yaraPath $yaraFile.FullName $testFile.FullName 2>&1
            $exitCode = $LASTEXITCODE
            
            $isVuln = $exitCode -eq 0 -and $output -ne $null
            $testPassed = ($expectedResult -eq "vuln" -and $isVuln) -or ($expectedResult -eq "clean" -and -not $isVuln)
            
            if ($testPassed) {
                $passedTests++
                Write-Host " - PASS" -ForegroundColor Green
            } else {
                $failedTests++
                Write-Host " - FAIL" -ForegroundColor Red
                if ($isVuln) {
                    Write-Host "    YARA output: $output" -ForegroundColor Red
                }
            }
        } catch {
            $failedTests++
            Write-Host " - ERROR: $_" -ForegroundColor Red
        }
    }
}

Write-Host "`nTest Summary:"
Write-Host "Total tests: $totalTests"
Write-Host "Passed: $passedTests" -ForegroundColor Green
Write-Host "Failed: $failedTests" -ForegroundColor $(if ($failedTests -gt 0) { "Red" } else { "Green" })

exit $(if ($failedTests -gt 0) { 1 } else { 0 })