Hi Shiv, Seems the example shared is causing confusion. The example added is the set of rules we have for our use-case and do understand there is no "action" or "priority" keyword in YARA. The "meta" section is something we plan on using as well to pass results ( For example the action value ) back to the downstream system.
The part I am trying to figure out in YARA is, during conditions evaluations when multiple rules match and is it possible to return the rule with highest priority. Thanks, Sridhar BV On Tuesday, November 8, 2022 at 12:58:31 PM UTC-8 [email protected] wrote: > Hi Sridhar, > > Perhaps I am misunderstanding your problem statement but I believe you are > approaching the rule making process with the wrong capability/mental model. > YARA does not support 'action' keyword. YARA matches binary objects based > on patterns and conditions regarding how to use those patterns. What you do > with that match is left to the upstream/downstream subsystem that uses YARA. > > P.S.: Yes you can use the "meta" section in very creative ways to meet > your requirements. However, I cannot recommend this solution without more > information. > > Regards > Shiv > > ".. if at first you don't succeed, then skydiving is not for you .." > > ".. it's inconvenient to spell out a name which is 10+11 characters long > .." > > > On Tue, Nov 8, 2022 at 12:46 PM Sridhar BV <[email protected]> wrote: > >> Hello Yara Users, >> >> I am exploring Yara to build a rules engine where each rule has a >> priority attached along with an associated action. Sharing an example list >> of rules below for context. >> >> Rule-A { priority: 1, conditions { ... }, action: allow } >> Rule-B { priority: 2, conditions { ... }, action: allow } >> Rule-C { priority: 3, conditions { ... }, action: deny } >> >> Input for rules evaluation can match multiple rules. Lets say in the >> above example both Rule-B & Rule-C are a match. Since Rule-B has higher >> priority ( lower priority value equals higher priority ) the result action >> to return is "allow". >> >> I am looking for comments / suggestions on whether it is feasible to >> model rule priority in Yara ( not just by mere location of where the rule >> appears in the yara file ) ? >> >> Thanks, >> Sridhar BV >> >> -- >> You received this message because you are subscribed to the Google Groups >> "YARA" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/yara-project/d37ed346-16b8-4a4c-870a-38c1168206f0n%40googlegroups.com >> >> <https://groups.google.com/d/msgid/yara-project/d37ed346-16b8-4a4c-870a-38c1168206f0n%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "YARA" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/yara-project/c24b4520-210f-4dd4-9df1-98f248b92f79n%40googlegroups.com.
