Yara rule not matching when it should

VirusTotal / yara

The pattern matching swiss knife

https://virustotal.github.io/yara/

BSD 3-Clause "New" or "Revised" License

7.95k stars 1.42k forks source link

Yara rule not matching when it should #2035

Closed crayy8 closed 5 months ago

crayy8 commented 5 months ago

Describe the bug rule2 does not get reported on a file that clearly has the pattern as shown in the hex viewer. A very similar file triggers without issue.

To Reproduce Use test.yar file on both files. Observe that Payment_0216#522.one does not trigger rule2 but the other file does.

Expected behavior Both rule1 and rule2 should be flagged on both files

Screenshots Yara_fail Yara_success yara_run

Please complete the following information:

OS: Windows 10
YARA version: 4.3.2-2150-win64

test.yar `rule rule1 { strings: $1 = /\x9c\x1d\x00\x1c/ $2 = /\x63\x00\x6d\x00\x64/ condition: $1 and $2 }

rule rule2 { strings: $1 = /\x9c\x1d\x00\x1c.{,200}\x63\x00\x6d\x00\x64/ condition: $1 } ` test.zip

plusvic commented 5 months ago

The problem here is that Payment_02_16_#522.one contains a newline character (0x0A) right after \x9c\x1d\x00\x1c, and the dot . in a regular expression matches everything except newline, except if you use the /s modifier in your regexp.

If you change your regexp to $1 = /\x9c\x1d\x00\x1c.{,200}\x63\x00\x6d\x00\x64/s it matches as expected, because the /s at the end means that the dot matches all bytes.

That's the standard behaviour in most regexp engines.

crayy8 commented 5 months ago

@plusvic thank you for the response and sorry for the false report!

plusvic commented 5 months ago

No worries!