Strings in yara rules can be declared as "private": this means those strings won't be reported in the results.
How this is implemented is however pretty surprising. Such strings are still included in the YR_RULE object, and their matches are returned as well, but with a is_private flag set to true. Yes, the flag is on the matches, and not even on the string...
Those matches are then filtered by the helper yr_string_matches_foreach, and this filtering was missing in the rust version.
Strings in yara rules can be declared as "private": this means those strings won't be reported in the results.
How this is implemented is however pretty surprising. Such strings are still included in the YR_RULE object, and their matches are returned as well, but with a
is_privateflag set to true. Yes, the flag is on the matches, and not even on the string...Those matches are then filtered by the helper
yr_string_matches_foreach, and this filtering was missing in the rust version.