Thursday, September 30, 2010

Installing Yara on Ubuntu 10.04

Installation for YARA on Ubuntu 10.04. First you will need the PCRE development and runtime libraries.

$ sudo apt-get install libpcre3 libpcre3-dev

Now acquire the YARA source code.

$ wget http://yara-project.googlecode.com/files/yara-1.4.tar.gz
$ wget http://yara-project.googlecode.com/files/yara-python-1.4.tar.gz

Untar and configure YARA.

$ tar xvfz yara-1.4.tar.gz
$ cd yara-1.4.tar.gz
$ ./configure

If there are no errors, make the executables.

$ make
$ make check
$ sudo make install

Now add python support.

$ cd ..
$ tar xvfz yara-python-1.4.tar.gz
$ cd yara-python-1.4.tar.gz
$ python setup.py build
$ sudo python setup.py install

You should now be able to call YARA from a shell prompt.

$ yara
usage: yara [OPTION]... [RULEFILE]... FILE
options:
-t print rules tagged as and ignore the rest. Can be used more than once.
-i print rules named and ignore the rest. Can be used more than once.
-n print only not satisfied rules (negate).
-g print tags.
-m print metadata.
-s print matching strings.
-d = define external variable.
-r recursively search directories.
-f fast matching mode.
-v show version information.

Report bugs to:

6 comments:

Anonymous said...

In some versions of Ubuntu users may need to run the following commands:

$ sudo echo "/usr/local/lib" >> /etc/ld.so.conf
$ ldconfig

quoted from googlecode page

Research said...

Nice article. After installation, in Ubuntu there may be an error in accessing libyara shared objects.

In that case, this would be useful. This is mentioned in the official project page of yara.http://code.google.com/p/yara-project/source/browse/trunk/yara-python/README?r=41

$ sudo echo "/usr/local/lib" >> /etc/ld.so.conf
$ ldconfig

unixfreak said...

Don't forget to sudo apt-get install python-dev before you try to build the yara-python package.

Anonymous said...

You will also need to install g++: sudo apt-get install g++

It's not on 10.04 by default.

Anonymous said...

In newer versions of Yara, you can use the re2 library (http://code.google.com/p/re2/) instead of pcre to speed up yara.

If you want to use re2, you have to install it and then use it when you configure yara:

Installing re2 (requires g++):
hg clone https://re2.googlecode.com/hg re2
cd re2
make test
sudo make install
sudo make testinstall

Then, instead of ./configure, do:
./configure --with-re2

You may need to run 'sudo ldconfig' after installing re2 but before configuring yara.

Anonymous said...

Excellent guide thank you for putting this up!