Would it make sense to have undefined external variables default to "empty" values and maybe a warning emitted instead of failure? Or maybe an option to change that behavior? Or default to False for conditions that use undefined external variables.
The way it works now, any time an external variable is used in a rule it requires that you define it or the rules fails to compile. For example, say I have an external variable named "downloaded_from" that contains a url that was used to download a file. I have a yara rule where I would like to use that variable in a condition to match. But then when I use my same rules to scan another file when I don't have that information and I don't need it, compilation fails unless I exclude that specific rule or I define the external variable to empty, when I already expect the rule to not match since I did not define the value. This forces me to have to know ahead of time what all my external variables are and to set them to something even if I'm not using them. My recommendation would be that if a condition uses an external variable that is not defined, it should evaluate to False. And if that change were to break existing behavior, maybe a new command line option (and libyara setting for python users) that would allow that type of behavior. Thoughts? -- John W. Davison [email protected] -- You received this message because you are subscribed to the Google Groups "YARA" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
