Yara rule working in 2.0 but not in yara 1.6

mustangV / yara-project

Automatically exported from code.google.com/p/yara-project

Apache License 2.0

0 stars 0 forks source link

Yara rule working in 2.0 but not in yara 1.6 #96

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago

Looks like Regex problem but everything looks good to me,

here is my rule
rule Found_DLL {
        strings:
                $a = /https?:\/\/.*\.dll/i
                $b = /ftp:\/\/.*\.dll/i
                $c = /www.*\.dll/i
                $d = /.*\.dll/i
        condition:
                any of them
}
I get this:
syntax error, unexpected _IDENTIFIER_, expecting _CONDITION_

What is wrong with this rule

Original issue reported on code.google.com by rubins...@gmail.com on 19 Mar 2014 at 6:17

GoogleCodeExporter commented 8 years ago

YARA 1.6 doesn't support case-insensitive regexps in the way you're using doing 
it.  Instead of appending the /i modifier at the end use:

$a = /https?:\/\/.*\.dll/  nocase
$b = /ftp:\/\/.*\.dll/ nocase
$c = /www.*\.dll/ nocase
$d = /.*\.dll/ nocase

Original comment by plus...@gmail.com on 19 Mar 2014 at 8:16

Changed state: Invalid

GoogleCodeExporter commented 8 years ago

very well my friend, Big thanks

Original comment by rubins...@gmail.com on 19 Mar 2014 at 11:40