Skip to content

Instantly share code, notes, and snippets.

@avestura

avestura/README.md

Last active April 6, 2025 07:34
Show Gist options
  • Save avestura/e6a7096719b38ff3bb30b37c59994763 to your computer and use it in GitHub Desktop.
Save avestura/e6a7096719b38ff3bb30b37c59994763 to your computer and use it in GitHub Desktop.
Download ZIP
Test yara rules
Raw
README.md

YARA Rules Tests

We have two folders called:

  • yararules: here we put our custom yara rules
  • yararules.test: here we put the test cases for the yararules custom yaras

For each .yar file inside the yararules folder, we should create a folder with the same name as the yara file inside the yararules.test/testcases folder.

  • If the test case file starts with ok-* it means that the file should not match the yara file.
  • If the test case file starts with vuln-* it means that the file should be known vulnerable by the yara rule.

Run tests

  • Run prerequesties.ps1 to install YARA binaries (yara64 and yarac64) in case you haven't them installed.
  • Run run-tests.ps1 to run all the tests.

Example

  • yararules/my-rule.yar
  • yararules.test/testcases/my-rule.yar/ok-test.jpg
  • yararules.test/testcases/my-rule.yar/vuln-test-pdf.pdf
Raw
prerequesties.ps1
winget install -s winget VirusTotal.YARA
Raw
yara-rule-tester.ps1
param(
[string]$yaraPath = "yara64.exe",
[string]$rulesDir = "../yararules",
[string]$testCasesDir = "testcases"
)
$totalTests = 0
$passedTests = 0
$failedTests = 0
$yaraFiles = Get-ChildItem -Path $rulesDir -Filter "*.yar" -File
foreach ($yaraFile in $yaraFiles) {
$testCaseSubDir = Join-Path $testCasesDir $yaraFile.Name
Write-Host "`nTesting rule: $($yaraFile.Name)"
if (-not (Test-Path $testCaseSubDir)) {
Write-Host " No test cases found in $testCaseSubDir" -ForegroundColor Yellow
continue
}
$testFiles = Get-ChildItem -Path $testCaseSubDir -File
foreach ($testFile in $testFiles) {
$totalTests++
$expectedResult = $testFile.Name.StartsWith("ok-") ? "clean" : "vuln"
Write-Host " Testing file: $($testFile.Name) (expect: $expectedResult)" -NoNewline
try {
$output = & $yaraPath $yaraFile.FullName $testFile.FullName 2>&1
$exitCode = $LASTEXITCODE
$isVuln = $exitCode -eq 0 -and $output -ne $null
$testPassed = ($expectedResult -eq "vuln" -and $isVuln) -or ($expectedResult -eq "clean" -and -not $isVuln)
if ($testPassed) {
$passedTests++
Write-Host " - PASS" -ForegroundColor Green
} else {
$failedTests++
Write-Host " - FAIL" -ForegroundColor Red
if ($isVuln) {
Write-Host " YARA output: $output" -ForegroundColor Red
}
}
} catch {
$failedTests++
Write-Host " - ERROR: $_" -ForegroundColor Red
}
}
}
Write-Host "`nTest Summary:"
Write-Host "Total tests: $totalTests"
Write-Host "Passed: $passedTests" -ForegroundColor Green
Write-Host "Failed: $failedTests" -ForegroundColor $(if ($failedTests -gt 0) { "Red" } else { "Green" })
exit $(if ($failedTests -gt 0) { 1 } else { 0 })
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment