Re: Yara not scanning all file content

You're welcome. That was a good discussion. Thanks for that too. On Thu, Aug 24, 2023 at 3:28 AM neslihan hanecioglu < neslihanecio...@gmail.com> wrote: > Hello, > > Thank you very much for taking your time and for your help Sir. > > Sincerely. > > 24 Ağustos 2023 Perşembe tarihinde saat

Re: Yara not scanning all file content

Hello! I don't think it is possible to control how much of the file libyara *reads*. You could try fast matching mode, but I believe libyara would still load the whole file to memory before starting matching your rules regardless of how these rules are written. I believe nothing can be faster

Re: Yara not scanning all file content

Hello, have a look at the -z switch in yara command manual (*man yara* or here ). If you want to do this programmatically, you can just read the first 200KB of the file before passing it to libyara. ;) Best, On Tue, Aug 22, 2023 at 9:34 

Re: Yara for executable

Hello. Do you mean Windows executables? If so, there's a PE module you should use. A sample rule is as follows: import "pe" rule exe { condition: pe.is_pe and not (pe.characteristics & pe.DLL) and pe.subsystem != pe.SUBSYSTEM_NATIVE } The above rule matches executables

Re: Using YARA in .NET WinForms (C#)

Hello! Apparently, there are a few wrappers for libyara in .NET. I've never used them, but if you search for "yara .net library", results include https://github.com/microsoft/libyara.NET and https://www.nuget.org/packages/dnYara Thanks, Fernando On Sun, Oct 9, 2022 at 10:33 AM Z_SnakeSilent

Re: Malware Detection using Fuzzy Yara Rules

Hi Ryan, I found your message a bit confusing. You started talking about malware (samples), then you mentioned you created a web app to detect malicious URLs. And then you say you’re lost, but what exactly are you targeting? I don’t think Yara is that binary. Some thoughts: * The

Re: PE rule matches when run under yara-python but not in yara ??!

. :( Att, Fernando Mercês <https://twitter.com/mer0x36> | menteb.in On Tue, Jul 7, 2020 at 5:37 PM Fernando Mercês wrote: > Hi, > > I couldn't reproduce it here. > > $ cat test_odd_pe_py_match.yara > import "pe" > > rule Odd_PE_Entry_Point > {

Re: PE rule matches when run under yara-python but not in yara ??!

quot;copyright", "credits" or "license" for more information. >>> import yara >>> scan = yara.compile("./test_odd_pe_py_match.yara") >>> scan.match(filepath="154f5cbaafabba2133f8f4578c7e25f3d42d18ff7fc61fab005436d63a3cfee8"

Re: Yara error: includes depth exceeded

.yar $ yara 1.yar 1.yar 16.yar(1): error: includes depth exceeded Hope that helps. [1] https://yara.readthedocs.io/en/latest/writingrules.html#including-files [2] https://github.com/VirusTotal/yara/blob/master/libyara/include/yara/limits.h#L107 Att, Fernando Mercês <https://twitter.com/mer0x

Re: Exact string match

Hello. Check if if helps https://yara.readthedocs.io/en/latest/writingrules.html#searching-for-full-words ;-) Att, Fernando Mercês <https://twitter.com/mer0x36> | menteb.in On Tue, Dec 24, 2019 at 4:21 AM Nibin V M wrote: > Hello, > > Is it possible to write rules for exa

Re: I am very new to Yara and let me know which IDE is best for YARA rules

://marketplace.visualstudio.com/items?itemName=infosec-intern.yara Att, Fernando Mercês <https://twitter.com/mer0x36> | menteb.in On Mon, Jul 22, 2019 at 6:35 AM safeer muhammed wrote: > I am very new to Yara and let me know which IDE is best for YARA rules > > -- > You received this m

Re: Yara Regex on matching any URL

By the way, there is an open pull request to add a "URL module" do Yara: https://github.com/VirusTotal/yara/pull/1085 Not sure how it'll end up though. :) Att, Fernando Mercês <https://twitter.com/mer0x36> | menteb.in On Wed, Jul 3, 2019 at 12:42 PM John Davison wr

Re: creating yara rules in windows

highlighting for .yar files.  Att, Fernando Mercês <https://twitter.com/mer0x36> | menteb.in On Thu, Oct 25, 2018 at 8:26 PM wrote: > > > just need a program to create signatures that works in windows > >> >> -- > You received this message because you are subscribed to

Re: Adding total number of occurrences of multiple strings

Hi Raghvendra, #str1 + #str2 + #str3 > 20 should work, no? Hope that helps. Att, Fernando Mercês <https://twitter.com/mer0x36> | menteb.in On Thu, Sep 20, 2018 at 3:48 PM raghvendra mishra wrote: > Hi, > I am trying to do a heuristic based detection of malware samples using

Re: error: syntax error, unexpected '=', expecting _STRING_IDENTIFIER_

Yes. And you'd have to scape the dollar signs too. Or you could just use single quotes around the whole thing: echo 'rule a { strings: $h = "arnav" condition: $h }' > a Att, @MercesFernando mentebinaria.com.br --- On Sun, Mar 18, 2018

Re: Emrging YARA with AV

Hi Ahmed, Yara is not supposed to replace AV. You may want to have a look at this project: https://github.com/godaddy/procfilter Att, @MercesFernando mentebinaria.com.br --- On Thu, Nov 2, 2017 at 1:20 PM, Ahmed Neil

Re: Rule Name question

$b } You may want to set your "a" rule as private too: https://yara.readthedocs.io/en/v3.4.0/writingrules.html#private-rules Thanks. Att, Fernando Mercês mentebinaria.com.br <http://www.mentebinaria.com.br> --- On Thu, Apr 28, 2016 at 8:04 AM, Jim Kell

Re: line number

Hi Cody, Are you using Yara to match rules on text files? Att, Fernando Mercês mentebinaria.com.br <http://www.mentebinaria.com.br> --- On Sat, Feb 20, 2016 at 5:59 PM, Cody West <codythet...@gmail.com> wrote: > Sorry if this has already been asked