No, unfortunately there's no way to solve that, except porting the rules. On Wed, Oct 11, 2017 at 7:01 PM, Igor Polevoy <[email protected]> wrote:
> Hi Victor > Yes, I know that YARA does not support back reference, but we still have > the old rules that we will need to port somehow. > So my question is, since it looks currently as a long effort to do the > manual conversion, > is there a possibility to use another module to process the back reference > rules in the meantime? Is such a thing supported? > > thank you > Igor > > On Wednesday, 11 October 2017 09:32:50 UTC-7, Víctor Manuel Álvarez García > wrote: >> >> Hi Igor, >> >> Back references are not supported anymore as YARA now uses its own regexp >> engine and not PCRE. YARA's regexp engine is more similar to RE2, which >> doesn't implement back references neither. For a more detailed explanation >> of why back references are not supported by RE2 nor YARA read this: >> https://swtch.com/~rsc/regexp/regexp1.html >> >> Regards, >> Víctor >> >> On Tue, Oct 10, 2017 at 11:27 PM, Igor Polevoy <[email protected]> >> wrote: >> >>> Hi, >>> what would you recommend to convert the old rules that contain back >>> references to the ones that will work with YARA 3.x? >>> It looks like quite a lot of work to do the conversion for even >>> something simple as the following that tries to match repetition of the >>> character... >>> >>> *strings:* >>> * s=([a-zA-z])\1{2,6}* >>> >>> Is it possible to feed the specific rules to eg PCRE? >>> >>> Thx >>> Igor >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "YARA" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> For more options, visit https://groups.google.com/d/optout. >>> >> >> -- > You received this message because you are subscribed to the Google Groups > "YARA" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "YARA" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
