Re: line number

Hi Cody, Are you using Yara to match rules on text files? Att, Fernando Mercês mentebinaria.com.br <http://www.mentebinaria.com.br> --- On Sat, Feb 20, 2016 at 5:59 PM, Cody West wrote: > Sorry if this has already been asked. I've searched through group

Re: Error scanning... Could not open file

Hi SKL, Maybe it's not a Yara problem. Can you list this file through cmd (dir command)? Att, Fernando Mercês mentebinaria.com.br <http://www.mentebinaria.com.br> --- On Thu, Apr 14, 2016 at 2:32 AM, SKL wrote: > Hi Guys, > > > I am new to Y

Re: Rule Name question

} You may want to set your "a" rule as private too: https://yara.readthedocs.io/en/v3.4.0/writingrules.html#private-rules Thanks. Att, Fernando Mercês mentebinaria.com.br <http://www.mentebinaria.com.br> --- On Thu, Apr 28, 2016 at 8:04 AM, Jim K

Re: Yara needs overlay offset

Sorry to reply to an old thread but I had the same need and decided to create a patch (discussion at https://github.com/VirusTotal/yara/issues/432), that is on my Yara fork at https://github.com/merces/yara/ This commit adds pe.overlay location: https://github.com/merces/yara/commit/39447516d82454

Re: Yara needs overlay offset

erlay.size. > > -- WXS > > > On Aug 15, 2016, at 12:02 AM, Fernando Mercês wrote: > > > > Sorry to reply to an old thread but I had the same need and decided to > create a patch (discussion at https://github.com/VirusTotal/ > yara/issues/432), that is on my Yara fork

Re: Yara needs overlay offset

t it out tonight, but assume it looks good > to me (for whatever that is worth) unless I speak up. > > -- WXS > > > On Aug 15, 2016, at 4:11 PM, Fernando Mercês wrote: > > > > Hi Wesley, > > > > Thanks for that. Indeed it looks better this way. I've p

Re: Yara needs overlay offset

at Victor > and others think about it! :) > > -- WXS > > > On Aug 15, 2016, at 4:45 PM, Fernando Mercês wrote: > > > > Another excelent suggestion, Wesley. Thanks! It's done now. ;-) > > > > https://github.com/merces/yara/commit/c6a

Re: File type rules repository

I couldn't find anything public. :-( Here there are rules for 3 file types only: https://github.com/godaddy/yara-rules/tree/master/utility But keep in mind that Yara as a module called "magic" that contains the database used in libmagic (by "file" UNIX command for example): https://yara.readthedo

Re: File type rules repository

Hi Jim, You are very welcome. :) Well if you are running Yara under Windows, an interesting project would be to use TrID to guess the file type, write a script to parse its output, define an external variable (a string containing the filetype) and check this from the yara rule [2]. Of course anot

Re: how -d param use？

Hi, You define an external variable using the -d option when calling Yara in the command line and can use this variable name in the Yara ruleset file you pass as argument to the yara program. For i.e.: $ cat rule.yar rule rule_example { condition: foo contains "bar" } $ yara -d foo="bar" rule.ya

Re: Emrging YARA with AV

Hi Ahmed, Yara is not supposed to replace AV. You may want to have a look at this project: https://github.com/godaddy/procfilter Att, @MercesFernando mentebinaria.com.br --- On Thu, Nov 2, 2017 at 1:20 PM, Ahmed Neil wrote: > Hello Hunt

Re: error: syntax error, unexpected '=', expecting _STRING_IDENTIFIER_

Yes. And you'd have to scape the dollar signs too. Or you could just use single quotes around the whole thing: echo 'rule a { strings: $h = "arnav" condition: $h }' > a Att, @MercesFernando mentebinaria.com.br --- On Sun, Mar 18, 2018

Re: Adding total number of occurrences of multiple strings

Hi Raghvendra, #str1 + #str2 + #str3 > 20 should work, no? Hope that helps. Att, Fernando Mercês <https://twitter.com/mer0x36> | menteb.in On Thu, Sep 20, 2018 at 3:48 PM raghvendra mishra wrote: > Hi, > I am trying to do a heuristic based detection of malware samples using

Re: creating yara rules in windows

ice syntax highlighting for .yar files. 😉 Att, Fernando Mercês <https://twitter.com/mer0x36> | menteb.in On Thu, Oct 25, 2018 at 8:26 PM wrote: > > > just need a program to create signatures that works in windows > >> >> -- > You received this message because you are sub

Re: Yara Regex on matching any URL

By the way, there is an open pull request to add a "URL module" do Yara: https://github.com/VirusTotal/yara/pull/1085 Not sure how it'll end up though. :) Att, Fernando Mercês <https://twitter.com/mer0x36> | menteb.in On Wed, Jul 3, 2019 at 12:42 PM John Daviso

Re: I am very new to Yara and let me know which IDE is best for YARA rules

://marketplace.visualstudio.com/items?itemName=infosec-intern.yara Att, Fernando Mercês <https://twitter.com/mer0x36> | menteb.in On Mon, Jul 22, 2019 at 6:35 AM safeer muhammed wrote: > I am very new to Yara and let me know which IDE is best for YARA rules > > -- > You received this messa

Re: Exact string match

Hello. Check if if helps https://yara.readthedocs.io/en/latest/writingrules.html#searching-for-full-words ;-) Att, Fernando Mercês <https://twitter.com/mer0x36> | menteb.in On Tue, Dec 24, 2019 at 4:21 AM Nibin V M wrote: > Hello, > > Is it possible to write rules for exa

Re: Yara error: includes depth exceeded

; done $ >17.yar $ yara 1.yar 1.yar 16.yar(1): error: includes depth exceeded Hope that helps. [1] https://yara.readthedocs.io/en/latest/writingrules.html#including-files [2] https://github.com/VirusTotal/yara/blob/master/libyara/include/yara/limits.h#L107 Att, Fernando Mercês <https://tw

Re: PE rule matches when run under yara-python but not in yara ??!

t;, "copyright", "credits" or "license" for more information. >>> import yara >>> scan = yara.compile("./test_odd_pe_py_match.yara") >>> scan.match(filepath="154f5cbaafabba2133f8f4578c7e25f3d42d18ff7fc61fab005436d63a3cfee8&

Re: PE rule matches when run under yara-python but not in yara ??!

his 4.0.2 version to test. :( Att, Fernando Mercês <https://twitter.com/mer0x36> | menteb.in On Tue, Jul 7, 2020 at 5:37 PM Fernando Mercês wrote: > Hi, > > I couldn't reproduce it here. > > $ cat test_odd_pe_py_match.yara > import "pe" > > r

Re: Malware Detection using Fuzzy Yara Rules

Hi Ryan, I found your message a bit confusing. You started talking about malware (samples), then you mentioned you created a web app to detect malicious URLs. And then you say you’re lost, but what exactly are you targeting? I don’t think Yara is that binary. Some thoughts: * The sensitiv

Re: Using YARA in .NET WinForms (C#)

Hello! Apparently, there are a few wrappers for libyara in .NET. I've never used them, but if you search for "yara .net library", results include https://github.com/microsoft/libyara.NET and https://www.nuget.org/packages/dnYara Thanks, Fernando On Sun, Oct 9, 2022 at 10:33 AM Z_SnakeSilent Area

Re: Yara for executable

Hello. Do you mean Windows executables? If so, there's a PE module you should use. A sample rule is as follows: import "pe" rule exe { condition: pe.is_pe and not (pe.characteristics & pe.DLL) and pe.subsystem != pe.SUBSYSTEM_NATIVE } The above rule matches executables (.ex

Re: Yara not scanning all file content

Hello, have a look at the -z switch in yara command manual (*man yara* or here ). If you want to do this programmatically, you can just read the first 200KB of the file before passing it to libyara. ;) Best, On Tue, Aug 22, 2023 at 9:34 AM

Re: Yara not scanning all file content

Hello! I don't think it is possible to control how much of the file libyara *reads*. You could try fast matching mode, but I believe libyara would still load the whole file to memory before starting matching your rules regardless of how these rules are written. I believe nothing can be faster tha

Re: Yara not scanning all file content

You're welcome. That was a good discussion. Thanks for that too. On Thu, Aug 24, 2023 at 3:28 AM neslihan hanecioglu < neslihanecio...@gmail.com> wrote: > Hello, > > Thank you very much for taking your time and for your help Sir. > > Sincerely. > > 24 Ağustos 2023 Perşembe tarihinde saat 02:24:23