Re: Matching only fullword standalone base64 strings (ending in '==') ?

Tue, 07 Jul 2020 18:18:53 -0700 

I don't think fullword makes sense here, given that the base64 modifiers are 
meant to work when the string you're searching for is embedded anywhere in a 
base64 encoded string. This requires that it strip some leading and trailing 
bytes. If you want to find it without this behavior just put the base64 string 
in as a literal and don't use the modifiers. A quick comment about what it is 
in decoded form will help readability.

-- WXS

> On Jul 7, 2020, at 2:34 PM, Wes Hurd <13hu...@gmail.com> wrote:
> 
> Hi again,
> 
> I'm wondering if there is a way to match Base64 strings only when they are 
> 'fullword', standalone.
> 
> For example:
> rule base64_Example
> {
> strings:
>     $s = "setsockopt" base64 base64wide // c2V0c29ja29wdA==
> condition:
>     $s
> }
> 
> 
> This rule will match anything containing the string "c2V0c29ja29wdA"
> What if I want it to only match on the standalone base64 string 
> "c2V0c29ja29wdA==" ? 
> Obviously I could match that string literal but I was curious if it would 
> make sense for base64 to do this, for readability and flexibility ? 
> 
> Using fullword with base64 modifiers does not seem to be supported.
> invalid modifier combination "base64 fullword"
> 
> Thank you, 
> 
>  - Wes
> 
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "YARA" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to yara-project+unsubscr...@googlegroups.com 
> <mailto:yara-project+unsubscr...@googlegroups.com>.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/yara-project/e160da25-1de2-4f07-bcd3-31ae0c50b779o%40googlegroups.com
>  
> <https://groups.google.com/d/msgid/yara-project/e160da25-1de2-4f07-bcd3-31ae0c50b779o%40googlegroups.com?utm_medium=email&utm_source=footer>.

-- 
You received this message because you are subscribed to the Google Groups 
"YARA" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to yara-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/yara-project/393AD2E4-B029-4338-8ED6-0AC5E8BFCE15%40atarininja.org.

Reply via email to