Maybe the distro could "ship" with a python script that wraps it all and does these kinds of things automatically. At least we'd have something to point people to.
On Sun, Nov 1, 2015 at 5:49 PM, Wesley Shields <[email protected]> wrote: > It has been raised as a GitHub issue in the past. My personal opinion is > it doesn't belong in YARA, but obviously I have no say in that. > > -- WXS > > > On Sunday, November 1, 2015, <[email protected]> wrote: > >> Where should I post a request to have the ability added to automatically >> pass the filename or preferably the file extension of the file being >> examined into the rule. >> >> K >> >> >> >> On Sunday, November 1, 2015 at 3:39:05 PM UTC-5, Wesley Shields wrote: >> >>> It is t available in YARA. You can have a script which passes it in as >>> an external variable for each file scanned, but it is less than optimal. >>> >>> -- WXS >>> >>> On Sunday, November 1, 2015, <[email protected]> wrote: >>> >>>> That is the problem I need the extension of the file in question and >>>> not just the magic bytes. So far I can find a way to obtain it to insert >>>> it into the rule I need to create. >>>> >>>> K >>>> >>>> >>>> >>>> On Sunday, November 1, 2015 at 2:52:45 PM UTC-5, Wesley Shields wrote: >>>> >>>>> It is generally not a good idea to do that, file names are a property >>>>> of the filesystem and not of the file. If you really must you could use an >>>>> external variable and pass it in. There is documentation on how to do >>>>> that. >>>>> >>>>> You can use the magic module or write your own magic identifiers in >>>>> you rules to identify file types. >>>>> >>>>> -- WXS >>>>> >>>>> > On Nov 1, 2015, at 2:36 PM, [email protected] wrote: >>>>> > >>>>> > Can anyone tell me if there is an operator or some other way to >>>>> create a Yara rule that will allow me to check a file's extension i.e. >>>>> .doc, .exe? I am unable to find something like this in the documentation. >>>>> > >>>>> > Thanks >>>>> > >>>>> > >>>>> > -- >>>>> > You received this message because you are subscribed to the Google >>>>> Groups "YARA" group. >>>>> > To unsubscribe from this group and stop receiving emails from it, >>>>> send an email to [email protected]. >>>>> > For more options, visit https://groups.google.com/d/optout. >>>>> >>>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "YARA" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> For more options, visit https://groups.google.com/d/optout. >>>> >>> -- >> You received this message because you are subscribed to the Google Groups >> "YARA" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. >> > -- > You received this message because you are subscribed to the Google Groups > "YARA" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- John W. Davison [email protected] -- You received this message because you are subscribed to the Google Groups "YARA" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
