Well, that's disappointing. I could still use Yara to write a detection for
these files (though one that might be a little more prone to false
positives) if I can write a regular expression that - unlike with grep -
will cross newlines. Is it a safe assumption that that is possible with
Yara?
On Thursday, June 2, 2016 at 4:27:51 PM UTC-4, Víctor Manuel Álvarez García
wrote:
>
> Hi Thomas,
>
> No, unfortunately that can't be done in YARA, not even within the same
> regular expression. The regexp /([0-9]{3})_\1/ for detecting strings like
> 123_123, 435_435 is not accepted in YARA because the expression engine
> doesn't support backreferences. Why? The short answer is because it's slow.
> A longer explanation can be found in
> http://stackoverflow.com/questions/4076687/regular-expressions-with-on-and-backreferences-support
>
>
> On Thu, Jun 2, 2016 at 3:45 PM, 'Thomas Reed' via YARA <
> [email protected] <javascript:>> wrote:
>
>> Is it possible in Yara to write a rule that has pattern matching based on
>> a portion of a previous match?
>>
>> For example, let's say I have a regular expression: /abc([0-9]*)xyz/
>>
>> Then, I also want another regular expression like this, where \1 is the
>> exact text matched within the parens in the first expression: /blah\1/
>>
>> The rule should only evaluate to true if the first expression is found
>> AND the second expression is found containing the indicated subset from the
>> first expression. It can be assumed that they are in order... in other
>> words, the text matching the first expression will come before the text
>> matching the second expression in the file.
>>
>> Can Yara do this, and if so, how?
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "YARA" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected] <javascript:>.
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>
--
You received this message because you are subscribed to the Google Groups
"YARA" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
