Hi Thomas,
No, unfortunately that can't be done in YARA, not even within the same
regular expression. The regexp /([0-9]{3})_\1/ for detecting strings like
123_123, 435_435 is not accepted in YARA because the expression engine
doesn't support backreferences. Why? The short answer is because it's slow.
A longer explanation can be found in
http://stackoverflow.com/questions/4076687/regular-expressions-with-on-and-backreferences-support
On Thu, Jun 2, 2016 at 3:45 PM, 'Thomas Reed' via YARA <
[email protected]> wrote:
> Is it possible in Yara to write a rule that has pattern matching based on
> a portion of a previous match?
>
> For example, let's say I have a regular expression: /abc([0-9]*)xyz/
>
> Then, I also want another regular expression like this, where \1 is the
> exact text matched within the parens in the first expression: /blah\1/
>
> The rule should only evaluate to true if the first expression is found AND
> the second expression is found containing the indicated subset from the
> first expression. It can be assumed that they are in order... in other
> words, the text matching the first expression will come before the text
> matching the second expression in the file.
>
> Can Yara do this, and if so, how?
>
> --
> You received this message because you are subscribed to the Google Groups
> "YARA" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/d/optout.
>
--
You received this message because you are subscribed to the Google Groups
"YARA" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
