I don't think fullword makes sense here, given that the base64 modifiers are meant to work when the string you're searching for is embedded anywhere in a base64 encoded string. This requires that it strip some leading and trailing bytes. If you want to find it without this behavior just put the base64 string in as a literal and don't use the modifiers. A quick comment about what it is in decoded form will help readability.
-- WXS > On Jul 7, 2020, at 2:34 PM, Wes Hurd <13hu...@gmail.com> wrote: > > Hi again, > > I'm wondering if there is a way to match Base64 strings only when they are > 'fullword', standalone. > > For example: > rule base64_Example > { > strings: > $s = "setsockopt" base64 base64wide // c2V0c29ja29wdA== > condition: > $s > } > > > This rule will match anything containing the string "c2V0c29ja29wdA" > What if I want it to only match on the standalone base64 string > "c2V0c29ja29wdA==" ? > Obviously I could match that string literal but I was curious if it would > make sense for base64 to do this, for readability and flexibility ? > > Using fullword with base64 modifiers does not seem to be supported. > invalid modifier combination "base64 fullword" > > Thank you, > > - Wes > > > -- > You received this message because you are subscribed to the Google Groups > "YARA" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to yara-project+unsubscr...@googlegroups.com > <mailto:yara-project+unsubscr...@googlegroups.com>. > To view this discussion on the web visit > https://groups.google.com/d/msgid/yara-project/e160da25-1de2-4f07-bcd3-31ae0c50b779o%40googlegroups.com > > <https://groups.google.com/d/msgid/yara-project/e160da25-1de2-4f07-bcd3-31ae0c50b779o%40googlegroups.com?utm_medium=email&utm_source=footer>. -- You received this message because you are subscribed to the Google Groups "YARA" group. To unsubscribe from this group and stop receiving emails from it, send an email to yara-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/yara-project/393AD2E4-B029-4338-8ED6-0AC5E8BFCE15%40atarininja.org.