Closed GoogleCodeExporter closed 9 years ago
Hi Bill, please note that yarascan is not a regular expression engine, it is a
yara engine. Yara accepts yara rules, which are not plain regular expressions.
Yara is capable of handling regular expressions, and you can find more
information on how to do so at [1]. To allow quick use of these features, we
allow regular expressions to be wrapped in /'s (so /<regexp>/), just like yara
regular expressions. The value itself is then inserted in a simple yara
"strings" rule. The same is true if a string literal is detected. The only
time we don't wrap everything in a strings rule is if a complete rule (starting
with {) is provided.
You might also find the strings plugin a simpler mechanism for locating strings
of a particular pattern in memory such as URLs or IPs, rather than having to
write complete yara rules.
I'm going to mark this issue as won't fix, since it's not a volatility issue,
and we try to mimic yara's syntax as closely as possible.
[1] http://yara.readthedocs.org/en/v3.2.0/writingrules.html#regular-expressions
Original comment by mike.auty@gmail.com
on 3 Feb 2015 at 11:27
Also, please file all new bugs on github as mentioned in issue 521.
Original comment by mike.auty@gmail.com
on 3 Feb 2015 at 11:28
Hi Bill, also note that the yarascan plugin can accept a yara rules file (which
can, via include directives, include other yara rules files). So, instead of
searching for individual criteria one at a time, you can dump the regex (after
potentially fixing it to yara syntax) along with regexes for IPs, hostnames, AV
signatures, etc, into a rule file and then scan for them all at once.
By the way, yes, please file future issues at github...I'm surprised anyone saw
this issue.
Original comment by michael.hale@gmail.com
on 3 Feb 2015 at 11:43
Thanks for the insight and guidance. Appreciate the help. FYI: I was confused
by the 4.2 Cheat Sheet for Volatility that seems to infer that, given the
examples provided, for search options for URLs and IPs that yarascan does have
full blown grep capability. Also, nowhere in the book "Memory Forensics" is
there any advisement that yarascan's compatibilities are limited with respect
to running grep like expressions as detailed in the bullets on page 211.
Original comment by Bill.Spe...@gmail.com
on 4 Feb 2015 at 2:58
Original issue reported on code.google.com by
Bill.Spe...@gmail.com
on 3 Feb 2015 at 9:16