Hi, Ok, so because every hashing algorithm returns hashes in all uppercase and yara requires all lower case, the only solution is for the user to manually go through and change all uppercase to lowercase in the hash rather than have either a tolower() functionality added to the yara rules or allow yara to recognize both upper and lower case characters? I feel like the industry accepted standard for all hashing algorithms is that they are always in uppercase and that should be expected, not the other way around. I mean my years of being a developer supports that gut feeling. I am genuinely confused by this decision to only accept lowercase and not upper for hashes. Is this a virustotal issue or just a decision in the programming for yara?
Jonathan On Mon, Feb 22, 2021 at 11:33 AM Wesley Shields <[email protected]> wrote: > See the warning at the top of > https://yara.readthedocs.io/en/stable/modules/hash.html - all hashes are > returned in lowercase. > > -- WXS > > On Feb 22, 2021, at 11:30 AM, Jonathan Livolsi <[email protected]> wrote: > > Hi, > > I am going through a lab to learn yara rules and have a simple problem but > I am not seeing why this might be happening. It is an online course and > their support doesn't help with this kind of stuff. I am just writing a > simple rule to check the MZ bits and the file hash for MD5, SHA1, and > SHA256. Nothing complicated about it. > > In this screenshot I have in my simple yara rule a check for the first > bytes of 5A4D and it works fine. I commented out the hash checks and in > the console you can see that I get a 1 returned because the rule matched. > <Capture1.JPG> > > In this screenshot I uncommented the hash checks and the rule fails to > match. If I comment out the strings and the check in the conditions but > leave in the hash (even just one at a time) the rule does not ever match. > Yet in the powershell prompt to the right I have the calculated hashed that > I used in the rule. Am I missing something? > <Capture2.JPG> > > Thanks for the help. > > > Jonathan > > -- > You received this message because you are subscribed to the Google Groups > "YARA" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/yara-project/CACYKFWr7-UYXkMr1jDQMaFOBMm6%2BTq7Av-VfdBCgCgNoyS7q_g%40mail.gmail.com > <https://groups.google.com/d/msgid/yara-project/CACYKFWr7-UYXkMr1jDQMaFOBMm6%2BTq7Av-VfdBCgCgNoyS7q_g%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > > > -- > You received this message because you are subscribed to the Google Groups > "YARA" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/yara-project/16F6BF7C-921A-4B74-902C-5772C0687947%40atarininja.org > <https://groups.google.com/d/msgid/yara-project/16F6BF7C-921A-4B74-902C-5772C0687947%40atarininja.org?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "YARA" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/yara-project/CACYKFWoSshZ9m8%3DX2pT-f4S_sZpDTabdKCwk%2BTRCS3ngWSW34Q%40mail.gmail.com.
