NullSec YARA
February 27, 2026 ยท View on GitHub
Clojure pattern matching engine demonstrating immutable data and functional programming.
Features
- Immutable Data - Thread-safe by design
- Lazy Sequences - Memory-efficient file scanning
- Persistent Collections - Efficient structural sharing
- REPL Development - Interactive rule testing
- Pattern Matching - Hex, ASCII, and regex patterns
Built-in Rules
| ID | Name | Severity | Description |
|---|---|---|---|
| MAL001 | Suspicious PE | High | PE file indicators |
| MAL002 | Packed Executable | Medium | UPX packing |
| MAL003 | Shellcode Pattern | Critical | Common shellcode |
| STR001 | Suspicious URLs | Medium | C2/malicious URLs |
| STR002 | Crypto Wallet | Medium | Wallet addresses |
| CMD001 | Suspicious Commands | High | Malicious commands |
| CRED001 | Hardcoded Creds | High | Passwords/API keys |
| NET001 | Network Indicators | Low | Network functions |
Build
# With Leiningen
lein uberjar
# Run
java -jar target/uberjar/nullsec-yara-1.0.0-standalone.jar
# REPL
lein repl
Usage
# Scan file
java -jar yara.jar suspicious.exe
# Show matched strings
java -jar yara.jar -s malware.bin
# JSON output
java -jar yara.jar -j sample.dll
# Custom rules
java -jar yara.jar -r custom.yar target.exe
REPL Usage
; Load namespace
(require '[yara.core :as yara])
; Scan file
(yara/scan-data (yara/read-file-bytes "sample.exe") yara/builtin-rules)
; Custom rule
(def my-rule (yara/->Rule "TEST" "Test Rule" "Custom" :high
[{:id "$test" :type :ascii :value "suspicious"}]
"all of them"))
Pattern Types
:hex- Hexadecimal byte patterns:ascii- ASCII string search:regex- Regular expression patterns
Author
bad-antics | Twitter
License
MIT