The yara command line tool does not support this feature. Using the -s option will give you the position of each match (in hex), which you could use to go back and figure out what part of the file to extract to display. However, what you're trying to achieve can be much more easily accomplished using the standard gnu grep tool. Yara is a binary scanning tool. It has no understanding of "lines", but grep does.
On Sat, Nov 25, 2017 at 10:10 AM, mikael vingaard <mikaelvinga...@gmail.com> wrote: > Hello group, I have a question that neither Google or read the docs can > help me with; > > I would like to use Yara to search thou in a log-file - e.g; > (the content of the file) aka. cat testfile.txt > > #Time,IP,Command > 20170909,1.2.2.2,special_command > > My yara rule will search for "special_command" (as a normal ascii_string) > - my test output with the -s option would be something like; > > 0x6a3:$ascii_string: special_command > > However i would like to "see" the 'whole' matching log-line (aka > 20170909,1.2.2.2,special_command) like something like; > 0x6a3:$ascii_string:20170909,1.2.2.2,special_command > > Would this be possible with YARA? (currently I am using standard regex, > but for preformance issues, would I much like to use YARA (if possible). > NB; there can be 100's of matches in the same logfile. > > Many thanks for any hints/assistance in this matter, MIkael > > -- > You received this message because you are subscribed to the Google Groups > "YARA" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to yara-project+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. > -- John W. Davison unixfreak0...@gmail.com -- You received this message because you are subscribed to the Google Groups "YARA" group. To unsubscribe from this group and stop receiving emails from it, send an email to yara-project+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
