Re: YARA rule to search for a file with a certain name
Thank you very much for your answer. I did read the forum entries and instructions about passing the filename as external variable. I am also fully aware that the filename is not a very reliable indicator. But never the less it is an indicator. In this case I will have to see how we can pass the filename from different tools. Our intention is to use YARA rules for "all" IOCs and to use them in different tools like virus scanner, other content scanner and tools like osquery. On Monday, 12 November 2018 15:10:35 UTC+1, Wesley Shields wrote: > > Filename is not something YARA knows about, nor should it IMO. The > filename is a property of the filesystem upon which the file resides, and > has no bearing on the content of the file. If you want to use filename in > your rule you have to pass it in as an external variable. Check out > https://github.com/VirusTotal/yara/issues/202 for more details. > > -- WXS > > > On Nov 12, 2018, at 7:21 AM, Michael Herren > wrote: > > > > Hello > > > > Please be gentle with me. I am new to YARA and the writting of such > rules. I am planning to write a set of YARA rules each describing an IOC. A > very simple IOC is the existence of a certain file. I was search the net > for a rule which check if a file with a certain name does exist. But all > examples I found do not work on my computer. This could be based on my lack > of knowledge or the fact that such a function is not existing. > > > > Can anyone please help? > > > > Kind Regards > > Michael > > > > -- > > You received this message because you are subscribed to the Google > Groups "YARA" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to yara-project...@googlegroups.com . > > For more options, visit https://groups.google.com/d/optout. > > -- You received this message because you are subscribed to the Google Groups "YARA" group. To unsubscribe from this group and stop receiving emails from it, send an email to yara-project+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: YARA rule to search for a file with a certain name
Filename is not something YARA knows about, nor should it IMO. The filename is a property of the filesystem upon which the file resides, and has no bearing on the content of the file. If you want to use filename in your rule you have to pass it in as an external variable. Check out https://github.com/VirusTotal/yara/issues/202 for more details. -- WXS > On Nov 12, 2018, at 7:21 AM, Michael Herren wrote: > > Hello > > Please be gentle with me. I am new to YARA and the writting of such rules. I > am planning to write a set of YARA rules each describing an IOC. A very > simple IOC is the existence of a certain file. I was search the net for a > rule which check if a file with a certain name does exist. But all examples I > found do not work on my computer. This could be based on my lack of knowledge > or the fact that such a function is not existing. > > Can anyone please help? > > Kind Regards > Michael > > -- > You received this message because you are subscribed to the Google Groups > "YARA" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to yara-project+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "YARA" group. To unsubscribe from this group and stop receiving emails from it, send an email to yara-project+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
YARA rule to search for a file with a certain name
Hello Please be gentle with me. I am new to YARA and the writting of such rules. I am planning to write a set of YARA rules each describing an IOC. A very simple IOC is the existence of a certain file. I was search the net for a rule which check if a file with a certain name does exist. But all examples I found do not work on my computer. This could be based on my lack of knowledge or the fact that such a function is not existing. Can anyone please help? Kind Regards Michael -- You received this message because you are subscribed to the Google Groups "YARA" group. To unsubscribe from this group and stop receiving emails from it, send an email to yara-project+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
