This is a decision made by YARA. The underlying code which is doing the hashing is OpenSSL and that outputs using lowercase. Even if we switched it to all be uppercase we would have users complaining that they are expecting lowercase. We can't please everyone, so we just have to pick one and stick to it.
-- WXS > On Feb 22, 2021, at 11:53 AM, Jonathan Livolsi <jlivo...@gmail.com> wrote: > > Hi, > > Ok, so because every hashing algorithm returns hashes in all uppercase and > yara requires all lower case, the only solution is for the user to manually > go through and change all uppercase to lowercase in the hash rather than have > either a tolower() functionality added to the yara rules or allow yara to > recognize both upper and lower case characters? I feel like the industry > accepted standard for all hashing algorithms is that they are always in > uppercase and that should be expected, not the other way around. I mean my > years of being a developer supports that gut feeling. I am genuinely > confused by this decision to only accept lowercase and not upper for hashes. > Is this a virustotal issue or just a decision in the programming for yara? > > > Jonathan > > On Mon, Feb 22, 2021 at 11:33 AM Wesley Shields <w...@atarininja.org > <mailto:w...@atarininja.org>> wrote: > See the warning at the top of > https://yara.readthedocs.io/en/stable/modules/hash.html > <https://yara.readthedocs.io/en/stable/modules/hash.html> - all hashes are > returned in lowercase. > > -- WXS > >> On Feb 22, 2021, at 11:30 AM, Jonathan Livolsi <jlivo...@gmail.com >> <mailto:jlivo...@gmail.com>> wrote: >> >> Hi, >> >> I am going through a lab to learn yara rules and have a simple problem but I >> am not seeing why this might be happening. It is an online course and their >> support doesn't help with this kind of stuff. I am just writing a simple >> rule to check the MZ bits and the file hash for MD5, SHA1, and SHA256. >> Nothing complicated about it. >> >> In this screenshot I have in my simple yara rule a check for the first bytes >> of 5A4D and it works fine. I commented out the hash checks and in the >> console you can see that I get a 1 returned because the rule matched. >> <Capture1.JPG> >> >> In this screenshot I uncommented the hash checks and the rule fails to >> match. If I comment out the strings and the check in the conditions but >> leave in the hash (even just one at a time) the rule does not ever match. >> Yet in the powershell prompt to the right I have the calculated hashed that >> I used in the rule. Am I missing something? >> <Capture2.JPG> >> >> Thanks for the help. >> >> >> Jonathan >> >> -- >> You received this message because you are subscribed to the Google Groups >> "YARA" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to yara-project+unsubscr...@googlegroups.com >> <mailto:yara-project+unsubscr...@googlegroups.com>. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/yara-project/CACYKFWr7-UYXkMr1jDQMaFOBMm6%2BTq7Av-VfdBCgCgNoyS7q_g%40mail.gmail.com >> >> <https://groups.google.com/d/msgid/yara-project/CACYKFWr7-UYXkMr1jDQMaFOBMm6%2BTq7Av-VfdBCgCgNoyS7q_g%40mail.gmail.com?utm_medium=email&utm_source=footer>. > > > -- > You received this message because you are subscribed to the Google Groups > "YARA" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to yara-project+unsubscr...@googlegroups.com > <mailto:yara-project+unsubscr...@googlegroups.com>. > To view this discussion on the web visit > https://groups.google.com/d/msgid/yara-project/16F6BF7C-921A-4B74-902C-5772C0687947%40atarininja.org > > <https://groups.google.com/d/msgid/yara-project/16F6BF7C-921A-4B74-902C-5772C0687947%40atarininja.org?utm_medium=email&utm_source=footer>. > > -- > You received this message because you are subscribed to the Google Groups > "YARA" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to yara-project+unsubscr...@googlegroups.com > <mailto:yara-project+unsubscr...@googlegroups.com>. > To view this discussion on the web visit > https://groups.google.com/d/msgid/yara-project/CACYKFWoSshZ9m8%3DX2pT-f4S_sZpDTabdKCwk%2BTRCS3ngWSW34Q%40mail.gmail.com > > <https://groups.google.com/d/msgid/yara-project/CACYKFWoSshZ9m8%3DX2pT-f4S_sZpDTabdKCwk%2BTRCS3ngWSW34Q%40mail.gmail.com?utm_medium=email&utm_source=footer>. -- You received this message because you are subscribed to the Google Groups "YARA" group. To unsubscribe from this group and stop receiving emails from it, send an email to yara-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/yara-project/A63BBAF6-39ED-4215-B5C0-3CD069884922%40gmail.com.
