Thanks Fernando, will check this i haven't thought about it as i was playing with string operation expression.
On Fri, 21 Sep 2018 at 06:07 Fernando Mercês <[email protected]> wrote: > Hi Raghvendra, > > #str1 + #str2 + #str3 > 20 should work, no? > > Hope that helps. > > Att, > > Fernando Mercês <https://twitter.com/mer0x36> | menteb.in > > > On Thu, Sep 20, 2018 at 3:48 PM raghvendra mishra < > [email protected]> wrote: > >> Hi, >> I am trying to do a heuristic based detection of malware samples using >> YARA and got stuck when i need to add up total number of occurrences of set >> of strings to detect the sample, >> For example, say i have a rule like this, >> >> *rule Malware_Detection : file* >> *{* >> * meta:* >> * author = "Raghvendra"* >> * version = "0.1"* >> * description = "Detecting malwares using heuristics"* >> * strings:* >> >> * $str1= "alice" nocase* >> * $str2="bob" nocase* >> * $str3="intruder" nocase* >> * condition:* >> * need to write* >> *}* >> what i am trying to achieve is, if the total number of occurrences of any >> or combination of strings is greater than 20 then yara engine should >> trigger. So, in sample $str1 could get match 20 times so yara should >> trigger, in sample $str1(15 times) and $str2(5 times) could get match so >> yara should trigger etc. The combination of string matching could be >> anything but it should be equal to 20. >> Is there anyway to implement it in yara? >> >> Thanks, >> --Raghvendra >> >> -- >> You received this message because you are subscribed to the Google Groups >> "YARA" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. >> > -- > You received this message because you are subscribed to the Google Groups > "YARA" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- Thanks, --Raghvendra Mishra Senior Threat Researcher DV Labs@Trend Micro, Bengaluru Contact Number: +91-8867404241 -- You received this message because you are subscribed to the Google Groups "YARA" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
