From 064870a4f07f8666bd03e3a2f7ceb5ff5dd7304c Mon Sep 17 00:00:00 2001 From: Max Altgelt Date: Wed, 9 Jul 2025 09:24:36 +0200 Subject: [PATCH 1/3] feat: document YARA-Forge --- index.rst | 1 + usage/yara-forge.rst | 22 ++++++++++++++++++++++ 2 files changed, 23 insertions(+) create mode 100644 usage/yara-forge.rst diff --git a/index.rst b/index.rst index 64c16a8..606967b 100644 --- a/index.rst +++ b/index.rst @@ -22,6 +22,7 @@ THOR Util User Manual usage/log-conversion usage/templates usage/diagnostics + usage/yara-forge Indices and tables diff --git a/usage/yara-forge.rst b/usage/yara-forge.rst new file mode 100644 index 0000000..0e116da --- /dev/null +++ b/usage/yara-forge.rst @@ -0,0 +1,22 @@ +YARA Forge +=========== + +YARA-Forge (https://yarahq.github.io/) is an open source project that bundles YARA rules from different open source projects. +Rules are offered in different _rulesets_ that differ in their FP ratio / detection rate tradeoff. + +THOR Util offers support for downloading YARA Forge with: + +.. code:: doscon + + C:\thor>thor-util.exe yara-forge download --ruleset + +Where ruleset is core, extended, full, or none. + + +A downloaded YARA Forge ruleset is stored in ``custom-signatures/yara-forge`` and is automatically updated with ``thor-util update``. + +If you no longer want to use YARA Forge, you can run: + +.. code:: doscon + + C:\thor>thor-util.exe yara-forge remove From ede28fd071bb05f53e17ff79d73c404039653508 Mon Sep 17 00:00:00 2001 From: redteampanda-ng <31235211+redteampanda-ng@users.noreply.github.com> Date: Wed, 9 Jul 2025 09:43:55 +0200 Subject: [PATCH 2/3] chore: minor text changes and clarifications --- usage/yara-forge.rst | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/usage/yara-forge.rst b/usage/yara-forge.rst index 0e116da..276151c 100644 --- a/usage/yara-forge.rst +++ b/usage/yara-forge.rst @@ -1,8 +1,9 @@ YARA Forge =========== -YARA-Forge (https://yarahq.github.io/) is an open source project that bundles YARA rules from different open source projects. -Rules are offered in different _rulesets_ that differ in their FP ratio / detection rate tradeoff. +YARA-Forge (https://yarahq.github.io/) is an open source project that +bundles YARA rules from different open source projects. Rules are offered +in different _rulesets_ that differ in their FP ratio / detection rate tradeoff. THOR Util offers support for downloading YARA Forge with: @@ -10,10 +11,18 @@ THOR Util offers support for downloading YARA Forge with: C:\thor>thor-util.exe yara-forge download --ruleset -Where ruleset is core, extended, full, or none. +Where **ruleset** can be one of the following: +- core +- extended +- full -A downloaded YARA Forge ruleset is stored in ``custom-signatures/yara-forge`` and is automatically updated with ``thor-util update``. +.. note:: + Only one ruleset at a time can be used. When you download a new + ruleset, the old one gets overwritten. + +A downloaded YARA Forge ruleset is stored in ``custom-signatures/yara-forge`` +and is automatically updated with ``thor-util update``. If you no longer want to use YARA Forge, you can run: From a63539d9eca9a23e32d8a57e2b40f6205514ce30 Mon Sep 17 00:00:00 2001 From: redteampanda-ng <31235211+redteampanda-ng@users.noreply.github.com> Date: Wed, 9 Jul 2025 09:45:47 +0200 Subject: [PATCH 3/3] chore: minor text changes and clarifications --- usage/yara-forge.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usage/yara-forge.rst b/usage/yara-forge.rst index 276151c..4d491db 100644 --- a/usage/yara-forge.rst +++ b/usage/yara-forge.rst @@ -3,7 +3,7 @@ YARA Forge YARA-Forge (https://yarahq.github.io/) is an open source project that bundles YARA rules from different open source projects. Rules are offered -in different _rulesets_ that differ in their FP ratio / detection rate tradeoff. +in different **rulesets** that differ in their FP ratio / detection rate tradeoff. THOR Util offers support for downloading YARA Forge with: