Wildcards on beginning and end really needed?

[ruppde]

Hello,

I wonder if the wildcards on beginning and end of many strings are really needed or are the tools, where they are used, doing a substring search anyway?

Because in YARA the .* don't make a difference, but they affect performance and memory usage:

$string1 = /.*Backdoor\.ASP\.FUZZSHELL\.A.*/ nocase ascii wide

Also in some strings there's a .* at the beginning and none at the end, which won't make a difference for YARA. If the distinction is needed, then maybe use \b to search for word boundaries. Or use the fullword search modifier.

regards arnim

[mthcht]

@ruppde yes for the yara lists, your PR has been merged thanks :) However, we need to retain the wildcards in this project to ensure matching on raw logs and specific SIEM fields. i'll close this issue, resolved here for hunting with yara: https://github.com/mthcht/ThreatHunting-Keywords-yara-rules/pull/2

[ruppde]

Ok, fixed it with https://github.com/mthcht/ThreatHunting-Keywords-yara-rules/pull/3