Open GoogleCodeExporter opened 9 years ago
To add onto this issue, YARA appears to be hitting on an ASCII match, but
printing the string results as unicode.
test file (in ASCII):
TESTING
ONETWO
YARATHREE
Rule1:
rule test
{
strings:
$s0 = "test" nocase ascii wide
$s1 = "yara" nocase ascii wide
condition:
$s0 and $s1
}
Execution:
yara -s rule.yara test.txt
test test.txt
0x11:$s1: YR
0x0:$s0: TS
Change rule to remove "wide" from strings:
Rule1:
rule test
{
strings:
$s0 = "test" nocase ascii
$s1 = "yara" nocase ascii
condition:
$s0 and $s1
}
Execution:
yara -s rule.yara test.txt
test test.txt
0x11:$s1: YARA
0x0:$s0: TEST
Original comment by brian@thebaskins.com
on 22 Jul 2013 at 7:19
Original issue reported on code.google.com by
ken.dunh...@gmail.com
on 4 Feb 2013 at 10:24