I can't replicate this behavior using 3.5.0 or latest master.
wxs@wxs-mbp yara % cat foo
include "./global.yar"
include "./misc.yar"
wxs@wxs-mbp yara % cat global.yar
global rule fileSizeLimit { condition: filesize < 1KB }
wxs@wxs-mbp yara % cat misc.yar
rule foo { condition: true }
wxs@wxs-mbp yara % ls -l /bin/ls
-rwxr-xr-x 1 root wheel 38624 Jul 15 00:29 /bin/ls*
wxs@wxs-mbp yara % ./yara foo /bin/ls
wxs@wxs-mbp yara %
When you say regardless of file size are you sure you're above the 8MB? Keep in
mind that 8MB is 8 * 1048576, which is 8388608.
-- WXS
> On Jul 28, 2017, at 7:01 AM, necrophcodr <tcg.thega...@gmail.com> wrote:
>
> So I've got quite a few rules, but it all comes down to this:
>
> include "./rules/global.yar"
> include "./rules/misc.yar"
>
>
> The global.yar file contains
>
> global rule fileSizeLimit { condition: filesize < 8MB }
>
>
> Any rule defined in rules/misc.yar are matched regardless of file size, but
> this is not what I intend. What am I doing wrong here?
>
> If this is not the right place to post, that's alright, feel free to slap me
> on the wrist and direct me to the correct location.
>
> edit:
>
> I should mention this is using Yara 3.5.0. I don't have a chance to upgrade
> this within the week.
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "YARA" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to yara-project+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups
"YARA" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to yara-project+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
