From 38bf334e8ee2236295d337337727500aeba1873e Mon Sep 17 00:00:00 2001
From: Sylvain Pelissier <sylvain.pelissier@gmail.com>
Date: Wed, 23 Oct 2024 13:57:38 +0200
Subject: [PATCH] Merge yara content in a single file

---
 README.md           |  2 +-
 src/r2yara/intro.md | 68 +++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 69 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 44a8f920..ecbf84fa 100644
--- a/README.md
+++ b/README.md
@@ -10,6 +10,6 @@ Please contribute by updating and improving the contents.
 * [Github](https://github.com/radareorg/radare2-book)
 * [Read it Online](https://book.rada.re/)
 
-Read the [CONTRIBUTING.md](https://github.com/radareorg/radare2-book/blob/master/CONTRIBUTING.md) guidelines before submiting a pull request to the github repository.
+Read the [CONTRIBUTING.md](https://github.com/radareorg/radare2-book/blob/master/CONTRIBUTING.md) guidelines before submitting a pull request to the github repository.
 
 Thanks!
diff --git a/src/r2yara/intro.md b/src/r2yara/intro.md
index f75980d3..5293b858 100644
--- a/src/r2yara/intro.md
+++ b/src/r2yara/intro.md
@@ -98,3 +98,71 @@ SHA256_Constants
 ```
 
 As soon as a pattern is identified, a flag is created at the pattern address.
+
+## Rule generator
+
+r2yara allows the creation of YARA rules inside radare2 with the `yrg` group of commands:
+
+```console
+[0x00000000]> yrg?
+Usage: yrg [action] [args..]   load and run yara rules inside r2
+| yrg-          delete last pattern added to the yara rule
+| yrg-*         delete all the patterns in the current rule
+| yrgs ([len])  add string (optionally specify the length)
+| yrgx ([len])  add hexpairs of blocksize (or custom length)
+| yrgf ([len])  add function bytepattern signature
+| yrgz          add all strings referenced from current function
+```
+
+The current state of the YARA rule can be displayed with the `yrg` command:
+
+```console
+[0x00000000]> yrg
+WARN: See 'yrg?' to find out which subcommands use to append patterns to the rule
+rule rulename : test {
+  meta:
+    author = "user"
+    description = "My first yara rule"
+    date = "2024-10-22"
+    version = "0.1"
+}
+```
+
+Let's assumed we have found an interesting string during reversing:
+
+```console
+[0x00132700]> ps
+expand 32-byte k
+```
+
+To add into this pattern to the current YARA rule, the command `yrgs` can be used together with the length of the pattern to add:
+
+```console
+[0x00132700]> yrgs 16
+[0x00132700]> yrg
+rule rulename : test {
+  meta:
+    author = "sylvain"
+    description = "My first yara rule"
+    date = "2024-10-22"
+    version = "0.1"
+  strings:
+    $ = "expand 32-byte k"
+  condition:
+    all of them
+```
+
+The rule parameters can be changed in the configuration. For example to change the name of the rule, use the following command:
+
+```console
+[0x00132700]> e yara.rule = Salsa20
+```
+
+Once the rule is ready, it can be added to other active YARA rules:
+
+```console
+[0x00132700]> yr+
+INFO: Rule successfully added
+[0x00132700]> yrl
+Salsa20
+```