Can you please attach the files you are using for testing? On Tue, Jul 30, 2019 at 11:01 AM Andrew <[email protected]> wrote:
> You said that Yara doesn't understand "¥", but when I search for "¥", it > successfully finds it. I want to solve the offset issue. > > > 2019년 7월 30일 화요일 오후 5시 46분 26초 UTC+9, Víctor Manuel Álvarez García 님의 말: >> >> That's depend on how the string +W¥Groupe is encoded, it may be that the >> ¥ character is encoded as a two-bytes character, and YARA doesn't >> understand unicode. Everything is a byte, there's no support for multi-byte >> characters. So, open the file with an hex editor and take a look at the raw >> bytes. >> >> On Tue, Jul 30, 2019 at 8:55 AM Andrew <[email protected]> wrote: >> >>> The following two targets return different offsets >>> >>> Search word : Groupe >>> >>> 1) +W¥Groupe => offset 4 >>> 2) Vv,Groupe => offset 3 >>> >>> They are supposed to be the same index. no? >>> >>> >>> 2019년 7월 29일 월요일 오후 5시 5분 28초 UTC+9, Víctor Manuel Álvarez García 님의 말: >>>> >>>> That's depend on the implementation of both Aho-Corasick and the regexp >>>> engine. It's true that Aho-Corasick is designed to search for multiple >>>> patterns at once, so the more patterns you are looking for, the faster it >>>> will be when compared with a solution based in searching one pattern at a >>>> time, either with a regexp, or a simple call to strstr. However, it doesn't >>>> means that searching for a single pattern is going to be faster if you use >>>> a regexp, that depends on the specific implementation of the regexp engine >>>> and the regexp you are searching for. >>>> >>>> But regarding your question, yes, YARA uses Aho Corasick regardless of >>>> the number of patterns you are looking for. >>>> >>>> On Mon, Jul 29, 2019 at 4:21 AM Andrew <[email protected]> wrote: >>>> >>>>> In full-text search, Aho Coarsick is fast when we use more than >>>>> hundreds of keywords, but as I am aware, Aho Coarsick seems to be slower >>>>> than Regex when there are one or two keywords. >>>>> ( >>>>> https://www.freecodecamp.org/news/regex-was-taking-5-days-flashtext-does-it-in-15-minutes-55f04411025f/ >>>>> ) >>>>> >>>>> Does Yara always use Aho Coarsick regardless of the number of >>>>> keywords? >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "YARA" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to [email protected]. >>>>> To view this discussion on the web visit >>>>> https://groups.google.com/d/msgid/yara-project/92ee6c7c-646e-4b02-b2d1-23825d3e573a%40googlegroups.com >>>>> <https://groups.google.com/d/msgid/yara-project/92ee6c7c-646e-4b02-b2d1-23825d3e573a%40googlegroups.com?utm_medium=email&utm_source=footer> >>>>> . >>>>> >>>> -- >>> You received this message because you are subscribed to the Google >>> Groups "YARA" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/yara-project/6e5dcce3-098f-43f9-be36-dd7ef8355955%40googlegroups.com >>> <https://groups.google.com/d/msgid/yara-project/6e5dcce3-098f-43f9-be36-dd7ef8355955%40googlegroups.com?utm_medium=email&utm_source=footer> >>> . >>> >> -- > You received this message because you are subscribed to the Google Groups > "YARA" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/yara-project/6b5df893-8a3a-4577-81b6-71167bb46115%40googlegroups.com > <https://groups.google.com/d/msgid/yara-project/6b5df893-8a3a-4577-81b6-71167bb46115%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "YARA" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/yara-project/CAD7Y4L43L%2BJSqYP%3DtmnXeMKyoks4HxSYXS%3DX6Yi_Dk1MspvgfA%40mail.gmail.com.
