Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Iterating over constant strings in yara conditions block #1765

Open
nikhilh-20 opened this issue Aug 10, 2022 · 5 comments
Open

Iterating over constant strings in yara conditions block #1765

nikhilh-20 opened this issue Aug 10, 2022 · 5 comments
Labels
feature-request

Comments

@nikhilh-20
Copy link

nikhilh-20 commented Aug 10, 2022
edited
Loading

Hello,

I recently had a use-case where I wanted to have a list of strings in the conditions block in a yara rule. I'm using yara v4.0.5. A minimal example is: comparing the SHA1 of a file with a known set of hashes. This is a working yara rule:

test.yar:

import "hash"

rule test {
    condition:
        hash.sha1(0,filesize) == "0a9fbc6dacd8887bd9d9065bc7d9a4905d7ea687" or
        hash.sha1(0,filesize) == "90cf88f9f3326d2616232d73e5adc1e85d28097f"
}

$ yara test.yar test.txt 
test test.txt

For readability, this is alright when there are, say, 5 hashes. But if there are 100 hashes, then the rule file becomes messy. Is there a way in yara to have non-search strings in one variable? And I'm not referring to the strings block because those strings are searched in the file. I'm referring to a string variable (containing a list of strings) which is not searched in the file and can purely be used in the conditions block. Also, I assume hash.sha1 will be computed only once? (caching: #592)

Something like:

import "hash"

rule test {
    condition:
        for any i in ("90cf88f9f3326d2616232d73e5adc1e85d28097f","0a9fbc6dacd8887bd9d9065bc7d9a4905d7ea687"):
            ( i == hash.sha1(0,filesize) )
}

The above doesn't work:

$ yara test.yar test.txt 
test.yar(5): error in rule "test": wrong type for enumeration item

Thanks for the help!
@wxsBSD
Copy link
Collaborator

wxsBSD commented Aug 15, 2022

I've had a need for this in the past and just ended up doing a long or chain. If @plusvic agrees with this or has a better idea I'd be happy to take a shot at making it work.

@plusvic
Copy link
Member

plusvic commented Aug 16, 2022

I think it makes sense that iterators work on lists of strings too. It's more intuitive than a long sequence of or statements.

@wxsBSD
Copy link
Collaborator

wxsBSD commented Aug 22, 2022

OK, I'll take a shot at implementing this in the coming weeks.

@wxsBSD
Copy link
Collaborator

wxsBSD commented Sep 8, 2022

I've taken a shot at this and am having a hard time getting it to work correctly in the grammar. It seems there is a conflict with the way integer sets are built.

Also there is #1338, which might make this issue obsolete. As such, I'm going to put this on hold until I can come up with a way to make it work or someone with more knowledge than me can do it.

@wxsBSD wxsBSD mentioned this issue Sep 9, 2022
Merged
@wxsBSD
Copy link
Collaborator

wxsBSD commented Sep 9, 2022

After being shown the path by @plusvic I've got this implemented and up for review now.

Thanks, again, Victor!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature-request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@plusvic @wxsBSD @nikhilh-20