It is t available in YARA. You can have a script which passes it in as an external variable for each file scanned, but it is less than optimal.
-- WXS On Sunday, November 1, 2015, <[email protected]> wrote: > That is the problem I need the extension of the file in question and not > just the magic bytes. So far I can find a way to obtain it to insert it > into the rule I need to create. > > K > > > > On Sunday, November 1, 2015 at 2:52:45 PM UTC-5, Wesley Shields wrote: > >> It is generally not a good idea to do that, file names are a property of >> the filesystem and not of the file. If you really must you could use an >> external variable and pass it in. There is documentation on how to do that. >> >> You can use the magic module or write your own magic identifiers in you >> rules to identify file types. >> >> -- WXS >> >> > On Nov 1, 2015, at 2:36 PM, [email protected] wrote: >> > >> > Can anyone tell me if there is an operator or some other way to create >> a Yara rule that will allow me to check a file's extension i.e. .doc, >> .exe? I am unable to find something like this in the documentation. >> > >> > Thanks >> > >> > >> > -- >> > You received this message because you are subscribed to the Google >> Groups "YARA" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. >> >> -- > You received this message because you are subscribed to the Google Groups > "YARA" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] > <javascript:_e(%7B%7D,'cvml','yara-project%[email protected]');> > . > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "YARA" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
