Is there any way to avoid multiple duplicate lines regex match?

VirusTotal / yara

The pattern matching swiss knife

https://virustotal.github.io/yara/

BSD 3-Clause "New" or "Revised" License

8.13k stars 1.42k forks source link

Is there any way to avoid multiple duplicate lines regex match? #1932

Closed gaohang closed 6 months ago

gaohang commented 1 year ago

just like https://github.com/VirusTotal/yara/issues/504

when I use regex rule in yara, it match the same line multiple times. How to avoid it or is there any usage for this condition?

plusvic commented 1 year ago

Can you provide some example of a rule, input file and results you are expecting?

gaohang commented 11 months ago

rule $re = /ab.{,4}/ match result: abc ab. ab.c ab.cd desired result: the longest match, like ab.cd

plusvic commented 11 months ago

With a pattern like /ab.{,4}/ YARA will return the longest possible match at every possible file offset where the pattern matches. For instance, if the file content is ababab, you will get:

0x0:$a: ababab
0x2:$a: abab
0x4:$a: ab

This behaviour is by design, YARA will always report all the file offsets where the pattern matches, even if these matches overlap.