Where should I post a request to have the ability added to automatically pass the filename or preferably the file extension of the file being examined into the rule.
K On Sunday, November 1, 2015 at 3:39:05 PM UTC-5, Wesley Shields wrote: > It is t available in YARA. You can have a script which passes it in as an > external variable for each file scanned, but it is less than optimal. > > -- WXS > > On Sunday, November 1, 2015, <[email protected] <javascript:>> wrote: > >> That is the problem I need the extension of the file in question and not >> just the magic bytes. So far I can find a way to obtain it to insert it >> into the rule I need to create. >> >> K >> >> >> >> On Sunday, November 1, 2015 at 2:52:45 PM UTC-5, Wesley Shields wrote: >> >>> It is generally not a good idea to do that, file names are a property of >>> the filesystem and not of the file. If you really must you could use an >>> external variable and pass it in. There is documentation on how to do that. >>> >>> You can use the magic module or write your own magic identifiers in you >>> rules to identify file types. >>> >>> -- WXS >>> >>> > On Nov 1, 2015, at 2:36 PM, [email protected] wrote: >>> > >>> > Can anyone tell me if there is an operator or some other way to create >>> a Yara rule that will allow me to check a file's extension i.e. .doc, >>> .exe? I am unable to find something like this in the documentation. >>> > >>> > Thanks >>> > >>> > >>> > -- >>> > You received this message because you are subscribed to the Google >>> Groups "YARA" group. >>> > To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> > For more options, visit https://groups.google.com/d/optout. >>> >>> -- >> You received this message because you are subscribed to the Google Groups >> "YARA" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. >> > -- You received this message because you are subscribed to the Google Groups "YARA" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
