I guess you are trying to match a rule within another rule, right? If so,
you just need to use its name under "condition":
rule rule_a
{
strings:
$a = "a"
condition:
$a
}
rule rule_ab
{
strings:
$b = "b"
condition:
rule_a and $b
}
You may want to set your "a" rule as private too:
https://yara.readthedocs.io/en/v3.4.0/writingrules.html#private-rules
Thanks.
Att,
Fernando Mercês
mentebinaria.com.br <http://www.mentebinaria.com.br>
---------------------------
On Thu, Apr 28, 2016 at 8:04 AM, Jim Kelly <[email protected]>
wrote:
> I have a rule that starts with:
>
> rule Accept: This function is used to listen for incoming connections.
> This function indicates that the program will listen for incoming
> connections on a socket. It is mostly used by malware to communicate with
> their Command and Communication server.
> {
> strings:
> $a = "Accept"
> condition:
> any of them
> }
>
> please refer to the line that starts with rule
> can I use the line above or do I have to do
>
> rule Accept
>
> /*
> This function is used to listen for incoming connections. This function
> indicates that the program will listen for incoming connections on a
> socket. It is mostly used by malware to communicate with their Command and
> Communication server.
>
> */
> {
> strings:
> $a = "Accept"
> condition:
> any of them
> }
>
> I was hoping I could get yara to report out the entire line with
> explanation when hit hit a match.
>
> --
> You received this message because you are subscribed to the Google Groups
> "YARA" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/d/optout.
>
--
You received this message because you are subscribed to the Google Groups
"YARA" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
