Hello,
Thank you Sir for your help. But I want to give file to yara in python for
speed. Because yara extracts the content of file and examines the file very
fast. I searched this problem in python, unfortunately can not find
anything. For example I used the following rule but yara still reads full
file.
rule SearchRegexdInPartOfAFile {
strings:
$a =
/([1-9])([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])([0-9])/
condition:
$a in (0..100)
}
As I explained, I want to search "a" in first 100 bytes in the file. If "a"
finds return the match result. Otherwise stops examination the file. It is
more important speed for me. I guess, I can not do it with python script in
no way.
22 Ağustos 2023 Salı tarihinde saat 22:52:48 UTC+3 itibarıyla
[email protected] şunları yazdı:
> Hello, have a look at the -z switch in yara command manual (*man yara* or
> here <https://yara.readthedocs.io/en/stable/commandline.html>).
>
> If you want to do this programmatically, you can just read the first 200KB
> of the file before passing it to libyara. ;)
>
> Best,
>
>
> On Tue, Aug 22, 2023 at 9:34 AM neslihan hanecioglu <[email protected]>
> wrote:
>
>> Hi,
>>
>> During the file scanning, I do not want to examine after a certain size.
>> For example, for a 100 mb file, I want to scan the first 200 kb and get its
>> match result, Not scanning after 200kb. Wow can i achieve this with yara
>> rule or python script. I wan to give full file to Yara and Yara not read
>> full text as I explained the above. It is important for speed.
>>
>> Thank you for response.
>> Sincerely.
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "YARA" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected].
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/yara-project/c016a513-da34-4b25-88b6-f8b3367395e5n%40googlegroups.com
>>
>> <https://groups.google.com/d/msgid/yara-project/c016a513-da34-4b25-88b6-f8b3367395e5n%40googlegroups.com?utm_medium=email&utm_source=footer>
>> .
>>
>
--
You received this message because you are subscribed to the Google Groups
"YARA" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/yara-project/e848f8e5-0974-455d-9f8c-3621fce24674n%40googlegroups.com.
