plusvic
commented
3 months ago Yes, there's a limit in maximum number of characters that a literal string can have. Some limit must exist, as supporting unlimited literal strings is not practical. The 8KB limit seems reasonable to me, of course it's possible to increase it, but then someone else can come up with another case where the new limit is still insufficient.
TBH, I don't think YARA rules with 8KB strings are a good idea. Putting that many bytes in a pattern is useless, with a fraction of that amount you still have a pattern that is unique and representative enough. However, if you still want to create rules with such large strings, you can change this limit and build your custom version of YARA:
storm-bow
Describe the bug If a yara rule has a string that is bigger than 8190 characters the yara.compile() function cannot compile the rule and throws unexpected EOF syntax error.
To Reproduce Create a yara file like the following and ake $s1 8191 characters long. rule test { strings: $s1 = "....." condition: $s1 }
Then create a python script and try to compile the rule ( yara.compile() )
Expected behavior syntax error, unexpected end of file
Please complete the following information:
Additional context You may ask why I use strings > 8190 characters. The answer is that I use a popular tool that auto generates yara rules and creates long description metadata.