if you do a yara scan
you will quickly see if the scanner is set proberly.
you will see the yara rules load after push button peform yara scan
Code:
loading rules from file: C:\yara\cve.yar (3)
loading rules from file: C:\yara\index.yar (0)
loading rules from file: C:\yara\xplug.yar (2)
loading rules from file: C:\yara\AlienVault\apt.yar (72)
loading rules from file: C:\yara\AlienVault\avdetect.yar (1)
loading rules from file: C:\yara\AlienVault\dbgdetect.yar (3)
loading rules from file: C:\yara\AlienVault\hangover.yar (16)
loading rules from file: C:\yara\AlienVault\sandboxdetect.yar (1)
loading rules from file: C:\yara\AlienVault\vmdetect.yar (1)
loading rules from file: C:\yara\AlienVault\APT_NGO_wuaclt\yara\APT_NGO_wuaclt.yar (1)
loading rules from file: C:\yara\AlienVault\APT_NGO_wuaclt\yara\APT_NGO_wuaclt_PDF.yar (1)
loading rules from file: C:\yara\AlienVault\Georbot\GeorBotBinary.yara (1)
loading rules from file: C:\yara\AlienVault\Georbot\GeorBotMemory.yara (1)
[!] Performing YARA scan...
Also you can add you own sigs to yara
read this post
https://hacking.ventures/rsa-keys-in-heartbleed-memory/
he adds the RSA headers to the scanner
Code:
rules = yara.compile(sources = {
'x509' : 'rule x509 {strings: $a = {30 82 ?? ?? 30 82 ?? ??} condition: $a}',
'pkcs' : 'rule pkcs {strings: $a = {30 82 ?? ?? 02 01 00} condition: $a}',
})