What about this:
wxs@wxs-mbp yara % cat foo
foo
wxs@wxs-mbp yara % cat bar
rule test {
strings:
$a = "foo"
$b = "bar"
condition:
all of them
}
wxs@wxs-mbp yara % ./yara -ns bar foo
test foo
0x0:$a: foo
wxs@wxs-mbp yara %
This prints all rules that DO NOT match and the strings in them that DO match
(and by process of elimination the strings that DO NOT match are the ones left
over). Keep in mind though that strings are not the only things that can cause
a condition to evaluate to false.
-- WXS
> On Nov 17, 2016, at 10:03 AM, John Davison <unixfreak0...@gmail.com> wrote:
>
> Hey there,
>
> We often run other peoples rules, and at times when we scan larger files we
> get "internal error: 30" which indicates that yara matched too many strings
> and basically ran out of room.
>
> The question that naturally follows is "which string in which rule caused the
> problem?" That's hard to figure out because the files we load often have
> dozens of rules with lots of strings.
>
> It would be helpful if there was an option that listed the top N strings in
> order of how many times they matched (and what rule they're in), in
> descending order.
>
> Does this functionality exist in other ways? If not, then could someone
> point me in what areas of the source code I need to look at to accomplish
> this? Would anyone else find this useful?
>
> --
> John W. Davison
> unixfreak0...@gmail.com
>
> --
> You received this message because you are subscribed to the Google Groups
> "YARA" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to yara-project+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups
"YARA" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to yara-project+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
