Intelligent YARA Rule Generator with AI
Generateur intelligent de regles YARA avec Intelligence Artificielle
+---------------------+ +-------------------+
| Natural Language | | File Sample |
| Description | | (PE/ELF/Mach-O) |
+----------+----------+ +--------+----------+
| |
v v
+----------+----------+ +--------+----------+
| LLM Generator | | File Analyzer |
| (OpenAI / Template) | | - Strings |
| | | - Imports |
+----------+----------+ | - Entropy |
| | - Sections |
| | - Packer detection |
| +--------+----------+
| |
+------------+------------+
|
v
+------------+------------+
| YARA Rule Builder |
| - Meta section |
| - String patterns |
| - Hex patterns |
| - Conditions |
+------------+------------+
|
v
+------------+------------+
| YARA Validator |
| - Syntax check |
| - Performance analysis |
| - FP risk estimation |
| - Quality scoring |
+-------------------------+
YaraGen-AI is an intelligent YARA rule generator that creates detection rules from multiple input sources:
- Natural language - Describe what you want to detect, AI generates the rule
- File samples - Analyze PE/ELF/Mach-O files and auto-extract signatures
- IOC indicators - Generate rules from hashes, domains, IPs, URLs
- Behavioral patterns - Specify behaviors (injection, persistence, C2, etc.)
- Templates - Pre-built templates for 8 malware categories
git clone https://github.com/ayinedjimi/YaraGen-AI.git
cd YaraGen-AI
pip install -e ".[dev,pe,yara]"
# Optional: Set OpenAI API key for AI features
export OPENAI_API_KEY="sk-..."# Generate from description
yaragen-ai generate -d "Detect Cobalt Strike beacon" -n cobalt_beacon
# Generate from file sample
yaragen-ai generate -f malware_sample.exe -n detected_malware
# Generate from IOCs
yaragen-ai generate --ioc-domains evil.com c2.bad.org --ioc-ips 1.2.3.4
# Generate from behavior
yaragen-ai generate -b process_injection persistence_registry -n apt_loader
# Use a template
yaragen-ai generate --template ransomware -n wannacry_variant
# Analyze a file
yaragen-ai analyze suspicious.exe --generate
# Validate a rule
yaragen-ai validate rule.yar --verbose
# List templates
yaragen-ai templatesrule detect_cobalt_beacon
{
meta:
author = "Ayi NEDJIMI"
date = "2026-02-18"
description = "Detect Cobalt Strike beacon"
reference = "https://ayinedjimi-consultants.fr"
category = "c2_beacon"
strings:
$http_1 = "User-Agent:" ascii wide
$c2_1 = "beacon" ascii wide nocase
$c2_2 = "sleep" ascii wide
$c2_3 = "jitter" ascii wide
$enc_1 = "base64" ascii wide nocase
condition:
filesize < 5MB and
(2 of ($http_*) and 2 of ($c2_*) and 1 of ($enc_*))
}| Category | MITRE ATT&CK | Description |
|---|---|---|
| ransomware | T1486 | File encryption + ransom notes |
| trojan | T1059 | RAT with keylogging/screen capture |
| backdoor | T1059.001 | Reverse shell / bind shell |
| webshell | T1505.003 | PHP/ASP/JSP web shells |
| cryptominer | T1496 | Mining pool connections |
| rootkit | T1014 | Kernel-level manipulation |
| dropper | T1105 | Download and execute payloads |
| c2_beacon | T1071 | C2 communication patterns |
YaraGen-AI est un generateur intelligent de regles YARA qui cree des regles de detection a partir de multiples sources :
- Langage naturel - Decrivez ce que vous voulez detecter, l'IA genere la regle
- Echantillons de fichiers - Analyse PE/ELF/Mach-O avec extraction automatique
- Indicateurs IOC - Generation a partir de hashes, domaines, IPs, URLs
- Patterns comportementaux - Injection, persistance, C2, etc.
- Templates - 8 categories de malware pre-configurees
pytest tests/ -v --cov=yaragen_ai- ADBloodHound-AI - AD attack path analysis
- KQLHunter - KQL query generator for Azure Sentinel
- KVortex - VRAM to RAM Offloader
Ayi NEDJIMI - Cybersecurity & AI Consultant
- Website: ayinedjimi-consultants.fr
- HuggingFace: AYI-NEDJIMI
- GitHub: ayinedjimi
MIT License - see LICENSE