一键在 Manus 中运行任何 Skill

yara-authoring

Write and test YARA rules for malware detection and threat hunting. Use when creating YARA signatures, detecting malware families, scanning files or memory for indicators of compromise, or building detection rules for threat intelligence.

在 Manus 中运行

概览

安装命令

npx skills add https://github.com/Dexploarer/eliza --skill yara-authoring

复制此命令并粘贴到 Claude Code 中以安装该技能

来源

Dexploarer/eliza

星标1

分支2

更新时间2026年3月18日 06:06

SKILL.md

readonly

name	yara-authoring
description	Write and test YARA rules for malware detection and threat hunting. Use when creating YARA signatures, detecting malware families, scanning files or memory for indicators of compromise, or building detection rules for threat intelligence.
allowed-tools	["Bash","Read","Write","Glob","Grep"]

YARA Rule Authoring

When to Use

Writing YARA rules to detect malware samples or families
Creating detection signatures for indicators of compromise (IOCs)
Scanning files or directories for known threat patterns
Building threat hunting rules from intelligence reports
Classifying unknown samples based on behavioral or structural patterns

When NOT to Use

Dynamic malware analysis (use sandbox environments)
Network traffic analysis (use Suricata/Snort rules)
Static analysis of source code (use Semgrep/CodeQL)

Rule Template

rule MalwareFamily_Variant : tag1 tag2 {
    meta:
        author = "analyst"
        description = "Detects MalwareFamily variant based on unique strings"
        date = "2024-01-01"
        reference = "https://example.com/report"
        hash = "abc123..."
        severity = "high"

    strings:
        $s1 = "unique_malware_string" ascii
        $s2 = { 4D 5A 90 00 03 00 }  // hex pattern
        $s3 = /https?:\/\/[a-z0-9]+\.evil\.com/ nocase  // regex

    condition:
        uint16(0) == 0x5A4D and  // MZ header (PE file)
        filesize < 5MB and
        (2 of ($s*))
}

String Types

Type	Syntax	Use Case
Text	`"string"`	ASCII strings
Hex	`{ AA BB CC }`	Byte patterns, shellcode
Regex	`/pattern/`	Flexible text matching

Modifiers

ascii / wide — encoding
nocase — case insensitive
fullword — word boundary matching
xor — XOR-encoded strings
base64 — base64-encoded strings

Condition Operators

condition:
    all of them           // All strings match
    any of ($a*)          // Any string starting with $a
    2 of ($s1, $s2, $s3)  // At least 2 of listed strings
    #s1 > 3               // String $s1 appears more than 3 times
    @s1 < 0x100           // String $s1 found before offset 0x100
    filesize < 1MB        // File size constraint
    uint16(0) == 0x5A4D   // Magic bytes at offset

Scanning

# Scan a file
yara rule.yar target_file

# Scan directory recursively
yara -r rules/ /path/to/scan/

# Scan with metadata output
yara -m -s rule.yar target_file

# Compile rules for faster repeated scanning
yarac rules/ compiled.yarc
yara -C compiled.yarc /path/to/scan/

Best Practices

Always include meta with author, description, date, and reference
Use filesize and magic byte checks to limit scope
Prefer multiple weak indicators over one strong indicator
Test against known samples AND clean files for false positives
Use private rules for helper conditions
Avoid overly broad regex patterns that cause performance issues
Version control your rules and track detection rates

Resources

YARA Documentation — https://yara.readthedocs.io/
YARA Rules Repository — https://github.com/Yara-Rules/rules
VirusTotal YARA — https://docs.virustotal.com/docs/yara

同仓库更多 Skills

同仓库

eliza-app-development

Dexploarer/eliza

Use when building or changing an elizaOS-based application in this repository. Covers eliza app architecture, monorepo layout, local versus remote versus cloud routing, where to edit features, and non-negotiable runtime constraints. Eliza is the product name of this particular eliza app checkout.

2026-04-131

eliza-cloud

Dexploarer/eliza

Use when the task involves Eliza Cloud or elizaOS Cloud as a managed backend, app platform, deployment target, billing layer, or monetization surface. Covers app creation, `appId` usage, app auth flows, cloud-hosted APIs, analytics, credits, creator monetization, and custom Docker container deployments.

2026-04-131

elizaos

Dexploarer/eliza

Use when the task involves elizaOS core runtime concepts, plugins, actions, providers, evaluators, services, memories, state composition, or upstream elizaOS development. Covers the main abstractions and the TypeScript runtime mental model.

2026-04-131

apple-reminders

Dexploarer/eliza

Manage Apple Reminders via the `remindctl` CLI on macOS (list, add, edit, complete, delete). Supports lists, date filters, and JSON/plain output. Use when the user asks about reminders, todos, tasks, to-do lists, "remind me", scheduling tasks, checking what is due today, completing or deleting reminders, or managing reminder lists on macOS.

2026-03-171

blucli

Dexploarer/eliza

BluOS CLI (blu) for discovery, playback, grouping, and volume control of Bluesound and NAD speakers. Use when the user wants to play music, stream audio, control speakers, adjust volume, group or ungroup Bluesound players, search TuneIn radio, or manage multi-room streaming setups.

2026-03-171

bluebubbles

Dexploarer/eliza

Handles sending and managing iMessages through BlueBubbles, the recommended iMessage integration. Triggers when the user wants to send a text message, send an iMessage, send a text, text someone, message a contact, react with a tapback, reply to a message thread, send an attachment via iMessage, edit or unsend a sent message, or manage group chat participants. All calls go through the generic message tool with channel="bluebubbles".

2026-03-171

来源

Dexploarer

Dexploarer/eliza

打开 GitHub 仓库查看创作者相关仓库

安装命令

下载

在 Manus 中运行

适用职业SOC

信息安全分析师计算机与数学类职业15-1212L4

name	yara-authoring
description	Write and test YARA rules for malware detection and threat hunting. Use when creating YARA signatures, detecting malware families, scanning files or memory for indicators of compromise, or building detection rules for threat intelligence.
allowed-tools	["Bash","Read","Write","Glob","Grep"]

YARA Rule Authoring

When to Use

Writing YARA rules to detect malware samples or families
Creating detection signatures for indicators of compromise (IOCs)
Scanning files or directories for known threat patterns
Building threat hunting rules from intelligence reports
Classifying unknown samples based on behavioral or structural patterns

When NOT to Use

Dynamic malware analysis (use sandbox environments)
Network traffic analysis (use Suricata/Snort rules)
Static analysis of source code (use Semgrep/CodeQL)

Rule Template

rule MalwareFamily_Variant : tag1 tag2 {
    meta:
        author = "analyst"
        description = "Detects MalwareFamily variant based on unique strings"
        date = "2024-01-01"
        reference = "https://example.com/report"
        hash = "abc123..."
        severity = "high"

    strings:
        $s1 = "unique_malware_string" ascii
        $s2 = { 4D 5A 90 00 03 00 }  // hex pattern
        $s3 = /https?:\/\/[a-z0-9]+\.evil\.com/ nocase  // regex

    condition:
        uint16(0) == 0x5A4D and  // MZ header (PE file)
        filesize < 5MB and
        (2 of ($s*))
}

String Types

Type	Syntax	Use Case
Text	`"string"`	ASCII strings
Hex	`{ AA BB CC }`	Byte patterns, shellcode
Regex	`/pattern/`	Flexible text matching

Modifiers

ascii / wide — encoding
nocase — case insensitive
fullword — word boundary matching
xor — XOR-encoded strings
base64 — base64-encoded strings

Condition Operators

condition:
    all of them           // All strings match
    any of ($a*)          // Any string starting with $a
    2 of ($s1, $s2, $s3)  // At least 2 of listed strings
    #s1 > 3               // String $s1 appears more than 3 times
    @s1 < 0x100           // String $s1 found before offset 0x100
    filesize < 1MB        // File size constraint
    uint16(0) == 0x5A4D   // Magic bytes at offset

Scanning

# Scan a file
yara rule.yar target_file

# Scan directory recursively
yara -r rules/ /path/to/scan/

# Scan with metadata output
yara -m -s rule.yar target_file

# Compile rules for faster repeated scanning
yarac rules/ compiled.yarc
yara -C compiled.yarc /path/to/scan/

Best Practices

Always include meta with author, description, date, and reference
Use filesize and magic byte checks to limit scope
Prefer multiple weak indicators over one strong indicator
Test against known samples AND clean files for false positives
Use private rules for helper conditions
Avoid overly broad regex patterns that cause performance issues
Version control your rules and track detection rates

Resources

YARA Documentation — https://yara.readthedocs.io/
YARA Rules Repository — https://github.com/Yara-Rules/rules
VirusTotal YARA — https://docs.virustotal.com/docs/yara