Discussion:
[clamav-users] yara #match does not work with regex
(too old to reply)
David Shrimpton
2016-04-13 23:27:10 UTC
Permalink
Using #match as a condition in a yara rule to
count the occurences of $match doesn't appear to
work where $match is a regex.
#match only appears to work if $match is a string literal
eg "abc123"

Is #match intended to work with a regex ?
--
David Shrimpton
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Kevin Lin
2016-04-14 14:53:54 UTC
Permalink
In order to minimize the amount of regex execution in ClamAV, regex
signatures are usually run until the first match is detected. This means
that counting regex matches do not work in the general case.

The ClamAV ldb signatures have a custom flag 'g' which specifies to the
engine to find all matches of the affected regex signature; yara signatures
unfortunately do not have such an option at this time.

-Kevin
Post by David Shrimpton
Using #match as a condition in a yara rule to
count the occurences of $match doesn't appear to
work where $match is a regex.
#match only appears to work if $match is a string literal
eg "abc123"
Is #match intended to work with a regex ?
--
David Shrimpton
_______________________________________________
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Loading...