If what you want is preventing large files from being scanned at all, yes,
that's something you won't achieve with a global rule with a "filesize < X"
condition. People tend to think that a condition like "false and $a" means
that string $a is not searched at all, but that's not the case because
Ok, so it isn’t a question of incorrect matching like you originally said.
It is really a question of searching a file even if it doesn’t pass the
global rules. This is a misunderstanding I sometimes see. All strings are
collected and searched for in a single pass, then global rules are
evaluated.
Alright, I've solved the issue:
Albeit this is synthetic, running
```
for f in $(seq 0 100); do printf "\n\n\n\n\n\n\n\n\n\n" >> text.txt;
done
```
And then
```
yara inc.yar .
```
In the directory with the yara files, yields, on my test system:
./misc.yar(9): warning: $newline is
I still can not replicate your problem.
A couple of things to note however:
"internal error: 30" is because there are too many matches, which happens when
a single string matches too many times. It has nothing to do with file size
like you guessed.
Your "newline_one" rule is marked as private
I can't replicate this behavior using 3.5.0 or latest master.
wxs@wxs-mbp yara % cat foo
include "./global.yar"
include "./misc.yar"
wxs@wxs-mbp yara % cat global.yar
global rule fileSizeLimit { condition: filesize < 1KB }
wxs@wxs-mbp yara % cat misc.yar
rule foo { condition: true }
wxs@wxs-mbp
So I've got quite a few rules, but it all comes down to this:
include "./rules/global.yar"
include "./rules/misc.yar"
The global.yar file contains
global rule fileSizeLimit { condition: filesize < 8MB }
Any rule defined in rules/misc.yar are matched regardless of file size,
but this is