I have a question about the order in which internal rules are parsed

VirusTotal / yara

The pattern matching swiss knife

https://virustotal.github.io/yara/

BSD 3-Clause "New" or "Revised" License

8.33k stars 1.45k forks source link

I have a question about the order in which internal rules are parsed #2055

Closed helloobaby closed 8 months ago

helloobaby commented 8 months ago

When I compile Yara rules for a folder, and then use this compiled single rule to scan a specified file, what is the parsing order of some internal rules?

To put it more bluntly, I want certain rules to be parsed first. Can Yara do it?

helloobaby commented 8 months ago

I tested it and found that the parsing order of compiled rules should be consistent with the order of yr_compiler_add_file, is that right?

plusvic commented 8 months ago

Yes, rules will be parsed in the order they are added with yr_compiler_add_file, and they will be executed in that order too.