Closed ruppde closed 7 months ago
@ruppde yes for the yara lists, your PR has been merged thanks :) However, we need to retain the wildcards in this project to ensure matching on raw logs and specific SIEM fields. i'll close this issue, resolved here for hunting with yara: https://github.com/mthcht/ThreatHunting-Keywords-yara-rules/pull/2
Ok, fixed it with https://github.com/mthcht/ThreatHunting-Keywords-yara-rules/pull/3
Hello,
I wonder if the wildcards on beginning and end of many strings are really needed or are the tools, where they are used, doing a substring search anyway?
Because in YARA the .* don't make a difference, but they affect performance and memory usage:
Also in some strings there's a .* at the beginning and none at the end, which won't make a difference for YARA. If the distinction is needed, then maybe use \b to search for word boundaries. Or use the
fullword
search modifier.regards arnim