It has been raised as a GitHub issue in the past. My personal opinion is it doesn't belong in YARA, but obviously I have no say in that.
-- WXS On Sunday, November 1, 2015, <[email protected]> wrote: > Where should I post a request to have the ability added to automatically > pass the filename or preferably the file extension of the file being > examined into the rule. > > K > > > > On Sunday, November 1, 2015 at 3:39:05 PM UTC-5, Wesley Shields wrote: > >> It is t available in YARA. You can have a script which passes it in as an >> external variable for each file scanned, but it is less than optimal. >> >> -- WXS >> >> On Sunday, November 1, 2015, <[email protected]> wrote: >> >>> That is the problem I need the extension of the file in question and not >>> just the magic bytes. So far I can find a way to obtain it to insert it >>> into the rule I need to create. >>> >>> K >>> >>> >>> >>> On Sunday, November 1, 2015 at 2:52:45 PM UTC-5, Wesley Shields wrote: >>> >>>> It is generally not a good idea to do that, file names are a property >>>> of the filesystem and not of the file. If you really must you could use an >>>> external variable and pass it in. There is documentation on how to do that. >>>> >>>> You can use the magic module or write your own magic identifiers in you >>>> rules to identify file types. >>>> >>>> -- WXS >>>> >>>> > On Nov 1, 2015, at 2:36 PM, [email protected] wrote: >>>> > >>>> > Can anyone tell me if there is an operator or some other way to >>>> create a Yara rule that will allow me to check a file's extension i.e. >>>> .doc, .exe? I am unable to find something like this in the documentation. >>>> > >>>> > Thanks >>>> > >>>> > >>>> > -- >>>> > You received this message because you are subscribed to the Google >>>> Groups "YARA" group. >>>> > To unsubscribe from this group and stop receiving emails from it, >>>> send an email to [email protected]. >>>> > For more options, visit https://groups.google.com/d/optout. >>>> >>>> -- >>> You received this message because you are subscribed to the Google >>> Groups "YARA" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> For more options, visit https://groups.google.com/d/optout. >>> >> -- > You received this message because you are subscribed to the Google Groups > "YARA" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] > <javascript:_e(%7B%7D,'cvml','yara-project%[email protected]');> > . > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "YARA" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
