That's a very common misconception. YARA does not search for strings as they are found during the condition evaluation, it searches for all the strings (from all the rules) at the same time *before* evaluating the conditions. Once the whole file has being scanned for all the strings, and YARA has taken note of all the matches, it proceeds to evaluate the conditions. This behaviour is because YARA is optimized for the case in which you have multiple rules with many strings, and searching for each individual string in a separate pass over the file would be simply too slow.
Does this clarify the issue? Regards, Víctor On Thu, Jan 28, 2021 at 12:22 PM Peter Kálnai <[email protected]> wrote: > Hello all, > I experienced the following situation: > > Imagine you have a rule with a short string pattern. If you execute the > rule on a file that is very large and contains the string many times, YARA > exits with > > error scanning "file": string "$string" in rule "rule" caused too many > matches > > This is expected and the guidelines warn about using "Uniform Content" > https://gist.github.com/Neo23x0/e3d4e316d7441d9143c7 > > However, the error result is the same even if you try to limit the scan to > small files with the filesize keyword. I expected that short-circuit > evaluation would apply here and strings wouldn't be evaluated and no error > received. > > This could be dangerous in situations when you have a YARA file containing > many rules. Perhaps one would not bother if a poorly written rule fails, > but this would also fail all other rules as well. > > Any comments welcome > > Kind regards > Peter Kalnai > > -- > You received this message because you are subscribed to the Google Groups > "YARA" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/yara-project/6340b797-a58b-4aeb-b061-ee977122b075n%40googlegroups.com > <https://groups.google.com/d/msgid/yara-project/6340b797-a58b-4aeb-b061-ee977122b075n%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "YARA" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/yara-project/CAD7Y4L6Sjfi-vq_hmK9OGwNF2GoLEp0J6wUAox7ToQqmfgwVMw%40mail.gmail.com.
