I'm still getting the unexpected match under python, after updating to
python 3.8.4 and reinstalling yara-python 4.0.2
For what it's worth
On Wednesday, July 8, 2020 at 10:48:32 AM UTC-4, Wes Hurd wrote:
>
> I think there's some confusion on versions.
> As I mentioned in my orig
t;> possibly incorrect. I think the bug is that it DOES match under yara-python
>> when it should not. It not matching when running yara from the command line
>> is the correct behavior (I think).
>>
>> -- WXS
>>
>> On Jul 7, 2020, at 2:10 PM, Wes Hurd <
Hi again,
I'm wondering if there is a way to match Base64 strings only when they are
'fullword', standalone.
For example:
rule base64_Example
{
strings:
$s = "setsockopt" base64 base64wide // c2V0c29ja29wdA==
condition:
$s
}
This rule will match anything containing the string
Hi,
This is running with the following versions on macOS 10.14.6:
*yara 4.0.2 homebrew*
*yara-python 4.0.2 (pip) *
*Python 3.7.7*
I'm having a really weird case where a rule using pe module is unexpectedly
matching certain files when run under yara-python , but not matching if
running the
ith UNDEFINED values result in false.
>
> It's arguable that this is the right change (and to be honest, I don't
> remember why it was changed) but one thing you can do is prefix your
> condition with "pe.is_pe and ..."
>
> -- WXS
>
> On Jul 1, 2020, at 2:34 P
Hi,
Wanted to post here before raising an issue on github project:
*To reproduce:*
import "pe"
rule pe_on_nonpe
{
condition:
not pe.sections[pe.section_index(pe.entry_point)].name contains
".text"
}
Run on non-PE file (e.g. Excel document zip)
yara pe_on_nonpe.yara excel_doc.xlsx
The