Hello Víctor, yes, thank you for the clarification, it makes perfect sense.
So there's no place for poorly chosen patterns in a collection of YARA rules :) Kind regards Peter K. On Thursday, January 28, 2021 at 1:04:43 PM UTC+1 [email protected] wrote: > That's a very common misconception. YARA does not search for strings as > they are found during the condition evaluation, it searches for all the > strings (from all the rules) at the same time *before* evaluating the > conditions. Once the whole file has being scanned for all the strings, and > YARA has taken note of all the matches, it proceeds to evaluate the > conditions. This behaviour is because YARA is optimized for the case in > which you have multiple rules with many strings, and searching for each > individual string in a separate pass over the file would be simply too slow. > > Does this clarify the issue? > > Regards, > Víctor > > On Thu, Jan 28, 2021 at 12:22 PM Peter Kálnai <[email protected]> wrote: > >> Hello all, >> I experienced the following situation: >> >> Imagine you have a rule with a short string pattern. If you execute the >> rule on a file that is very large and contains the string many times, YARA >> exits with >> >> error scanning "file": string "$string" in rule "rule" caused too many >> matches >> >> This is expected and the guidelines warn about using "Uniform Content" >> https://gist.github.com/Neo23x0/e3d4e316d7441d9143c7 >> >> However, the error result is the same even if you try to limit the scan >> to small files with the filesize keyword. I expected that short-circuit >> evaluation would apply here and strings wouldn't be evaluated and no error >> received. >> >> This could be dangerous in situations when you have a YARA file >> containing many rules. Perhaps one would not bother if a poorly written >> rule fails, but this would also fail all other rules as well. >> >> Any comments welcome >> >> Kind regards >> Peter Kalnai >> >> -- >> You received this message because you are subscribed to the Google Groups >> "YARA" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/yara-project/6340b797-a58b-4aeb-b061-ee977122b075n%40googlegroups.com >> >> <https://groups.google.com/d/msgid/yara-project/6340b797-a58b-4aeb-b061-ee977122b075n%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "YARA" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/yara-project/8e96eade-553a-46c8-b4f6-f28d1a50dd23n%40googlegroups.com.
