Hi Raghvendra, #str1 + #str2 + #str3 > 20 should work, no?
Hope that helps. Att, Fernando Mercês <https://twitter.com/mer0x36> | menteb.in On Thu, Sep 20, 2018 at 3:48 PM raghvendra mishra <[email protected]> wrote: > Hi, > I am trying to do a heuristic based detection of malware samples using > YARA and got stuck when i need to add up total number of occurrences of set > of strings to detect the sample, > For example, say i have a rule like this, > > *rule Malware_Detection : file* > *{* > * meta:* > * author = "Raghvendra"* > * version = "0.1"* > * description = "Detecting malwares using heuristics"* > * strings:* > > * $str1= "alice" nocase* > * $str2="bob" nocase* > * $str3="intruder" nocase* > * condition:* > * need to write* > *}* > what i am trying to achieve is, if the total number of occurrences of any > or combination of strings is greater than 20 then yara engine should > trigger. So, in sample $str1 could get match 20 times so yara should > trigger, in sample $str1(15 times) and $str2(5 times) could get match so > yara should trigger etc. The combination of string matching could be > anything but it should be equal to 20. > Is there anyway to implement it in yara? > > Thanks, > --Raghvendra > > -- > You received this message because you are subscribed to the Google Groups > "YARA" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "YARA" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
