Hi Sridhar, Perhaps I am misunderstanding your problem statement but I believe you are approaching the rule making process with the wrong capability/mental model. YARA does not support 'action' keyword. YARA matches binary objects based on patterns and conditions regarding how to use those patterns. What you do with that match is left to the upstream/downstream subsystem that uses YARA.
P.S.: Yes you can use the "meta" section in very creative ways to meet your requirements. However, I cannot recommend this solution without more information. Regards Shiv ".. if at first you don't succeed, then skydiving is not for you .." ".. it's inconvenient to spell out a name which is 10+11 characters long .." On Tue, Nov 8, 2022 at 12:46 PM Sridhar BV <[email protected]> wrote: > Hello Yara Users, > > I am exploring Yara to build a rules engine where each rule has a priority > attached along with an associated action. Sharing an example list of rules > below for context. > > Rule-A { priority: 1, conditions { ... }, action: allow } > Rule-B { priority: 2, conditions { ... }, action: allow } > Rule-C { priority: 3, conditions { ... }, action: deny } > > Input for rules evaluation can match multiple rules. Lets say in the above > example both Rule-B & Rule-C are a match. Since Rule-B has higher priority > ( lower priority value equals higher priority ) the result action to return > is "allow". > > I am looking for comments / suggestions on whether it is feasible to model > rule priority in Yara ( not just by mere location of where the rule appears > in the yara file ) ? > > Thanks, > Sridhar BV > > -- > You received this message because you are subscribed to the Google Groups > "YARA" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/yara-project/d37ed346-16b8-4a4c-870a-38c1168206f0n%40googlegroups.com > <https://groups.google.com/d/msgid/yara-project/d37ed346-16b8-4a4c-870a-38c1168206f0n%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "YARA" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/yara-project/CAJf9chK9p9mmgTxHWQvjy6kexqKi4P6fHWAOKQhf%2B9X44orTGw%40mail.gmail.com.
