It makes sense. Probably the best approach is adding a command line option for running YARA in non-strict mode. In that case undefined variables will have a *undefined* value, which is not false nor true. The result for any operation where one of the operands is undefined is undefined too, except for OR operations where undefined values are treated as false.
On Tuesday, February 21, 2017 at 2:44:23 PM UTC+1, John W. Davison wrote: > > Would it make sense to have undefined external variables default to > "empty" values and maybe a warning emitted instead of failure? Or maybe an > option to change that behavior? Or default to False for conditions that > use undefined external variables. > > The way it works now, any time an external variable is used in a rule it > requires that you define it or the rules fails to compile. > > For example, say I have an external variable named "downloaded_from" that > contains a url that was used to download a file. I have a yara rule where > I would like to use that variable in a condition to match. > > But then when I use my same rules to scan another file when I don't have > that information and I don't need it, compilation fails unless I exclude > that specific rule or I define the external variable to empty, when I > already expect the rule to not match since I did not define the value. > This forces me to have to know ahead of time what all my external variables > are and to set them to something even if I'm not using them. > > My recommendation would be that if a condition uses an external variable > that is not defined, it should evaluate to False. And if that change were > to break existing behavior, maybe a new command line option (and libyara > setting for python users) that would allow that type of behavior. > > Thoughts? > > -- > John W. Davison > [email protected] > -- You received this message because you are subscribed to the Google Groups "YARA" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
