Thanks for the Clarification. And I see, the use case was causing some confusion. Regarding your question:
The part I am trying to figure out in YARA is, during conditions > evaluations when multiple rules match and is it possible to return the rule > with highest priority. > Off the top of my head? No. However, if you want that functionality, the "meta" section is the best way to add that functionality. Have you looked at yara-python? Regards Shiv ".. if at first you don't succeed, then skydiving is not for you .." ".. it's inconvenient to spell out a name which is 10+11 characters long .." On Tue, Nov 8, 2022 at 4:00 PM Sridhar BV <[email protected]> wrote: > Hi Shiv, > > Seems the example shared is causing confusion. The example added is the > set of rules we have for our use-case and do understand there is no > "action" or "priority" keyword in YARA. The "meta" section is something we > plan on using as well to pass results ( For example the action value ) back > to the downstream system. > > The part I am trying to figure out in YARA is, during conditions > evaluations when multiple rules match and is it possible to return the rule > with highest priority. > > > > Thanks, > Sridhar BV > > > > On Tuesday, November 8, 2022 at 12:58:31 PM UTC-8 [email protected] > wrote: > >> Hi Sridhar, >> >> Perhaps I am misunderstanding your problem statement but I believe you >> are approaching the rule making process with the wrong capability/mental >> model. YARA does not support 'action' keyword. YARA matches binary objects >> based on patterns and conditions regarding how to use those patterns. What >> you do with that match is left to the upstream/downstream subsystem that >> uses YARA. >> >> P.S.: Yes you can use the "meta" section in very creative ways to meet >> your requirements. However, I cannot recommend this solution without more >> information. >> >> Regards >> Shiv >> >> ".. if at first you don't succeed, then skydiving is not for you .." >> >> ".. it's inconvenient to spell out a name which is 10+11 characters long >> .." >> >> >> On Tue, Nov 8, 2022 at 12:46 PM Sridhar BV <[email protected]> wrote: >> >>> Hello Yara Users, >>> >>> I am exploring Yara to build a rules engine where each rule has a >>> priority attached along with an associated action. Sharing an example list >>> of rules below for context. >>> >>> Rule-A { priority: 1, conditions { ... }, action: allow } >>> Rule-B { priority: 2, conditions { ... }, action: allow } >>> Rule-C { priority: 3, conditions { ... }, action: deny } >>> >>> Input for rules evaluation can match multiple rules. Lets say in the >>> above example both Rule-B & Rule-C are a match. Since Rule-B has higher >>> priority ( lower priority value equals higher priority ) the result action >>> to return is "allow". >>> >>> I am looking for comments / suggestions on whether it is feasible to >>> model rule priority in Yara ( not just by mere location of where the rule >>> appears in the yara file ) ? >>> >>> Thanks, >>> Sridhar BV >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "YARA" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/yara-project/d37ed346-16b8-4a4c-870a-38c1168206f0n%40googlegroups.com >>> <https://groups.google.com/d/msgid/yara-project/d37ed346-16b8-4a4c-870a-38c1168206f0n%40googlegroups.com?utm_medium=email&utm_source=footer> >>> . >>> >> -- > You received this message because you are subscribed to the Google Groups > "YARA" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/yara-project/c24b4520-210f-4dd4-9df1-98f248b92f79n%40googlegroups.com > <https://groups.google.com/d/msgid/yara-project/c24b4520-210f-4dd4-9df1-98f248b92f79n%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "YARA" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/yara-project/CAJf9chLYFFKG3B3_Ux_UnFEFh90MHBaNx_9EKuM3XR6-CCtz3A%40mail.gmail.com.
