Hi,
You define an external variable using the -d option when calling Yara in
the command line and can use this variable name in the Yara ruleset file
you pass as argument to the yara program. For i.e.:
$ cat rule.yar
rule rule_example {
condition:
foo contains "bar"
}
$ yara -d foo="bar" rule.yar /bin/ls
rule_example /bin/ls
In the example above, I've written a rule that checks the variable "foo"
that doesn't exist yet but when I call yara program passing my rule, I can
define that with the -d option. See more on https://yara.readthedocs.
io/en/v3.6.0/writingrules.html#external-variables
I've never needed that but I can think of a scenario where metadata from
files that are stored in the filesystem are needed within the rules. Take
the Linux ext4 "change" date of a file as an example. You couldn't use Yara
to check this, as this information is not in the file - but in the inode
instead. So with external variables you could do something like this:
$ cat rule.yar
rule rule_example {
condition:
change_date contains "2017"
}
$ for i in *; do
> yara -d change_date="$(stat "$i" | grep -F Change:)" rule.yar "$i"
> done
There is no error handling in the code above. It's just an example.
It'd be nice to know how other Yara users are using external variables.
Att,
@MercesFernando
mentebinaria.com.br <http://www.mentebinaria.com.br>
---------------------------
On Wed, Oct 11, 2017 at 7:52 AM, 季晴川 <[email protected]> wrote:
> i am a newbie, how -d param use?
>
> --
> You received this message because you are subscribed to the Google Groups
> "YARA" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/d/optout.
>
--
You received this message because you are subscribed to the Google Groups
"YARA" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
