Yara does not accept Regex having negative lookahead #584
Comments
|
I was able to reproduce the error, and moreover, I checked the docs and did not find anything about look-aheads or look-behinds in the regex section. I think this feature would be worth adding, but lack the coding acumen to do so myself. That said, I think you could sort of hack it like this: RuleOne rule one {
strings:
$yay = /baloney[0-9a-z]*/
condition:
$yay
}RuleTwo rule two {
strings:
$nay = /\s(ns|win){1}/
condition:
$nay
}tst.txt baloney ns
toodlesns
win
0011uuii win
9090jjuu
baloney
baloneywin
baloney win
baloney092083And then in Bash: yara -s RuleOne tst.txt > outOne
yara -s -n RuleTwo tst.txt > outTwo
comm outOne outTwoProduces: (I'm not much of a REGEX whiz and found yours vaguely confusing, hence the stupid baloney example, but I think the idea is more or less the same?) |
|
Appreciate the response . We are basically building the bigger Yara rules file with several hunderds of rules in just a single file and scanning all of them at one shot . Doing a Yara -n for a single rule wont workaround and produce lot of False positives as we are matching on the multiple GBs of Memory dump files ..
Image attached here perhaps might give you a better idea. |
|
Gotcha. As I said, my solution was definitely a "hack". In the docs I see that "not" is a supported keyword, but I'm not really sure how to use it. I tried doing: condition:
$yay and not $nay... but it didn't seem to work. That said, if you can figure out how to use not in the conditional statement, that could possibly solve the problem? I mean it'd be a bit slow, but wouldn't have the memory issues of my previous hack-y sudo-solution. Edit - for some reason |
|
Ah ok..I will have to spend some time trying a workaround to this. It would solve quite a bit of FP problems if that works .. Thanks for your quick suggestion . |
|
Please comment if you figure it out, I would also like to know the answer to this. If not, I'll try and work on it later this week. |
|
Stilll not figured out ..Let me know if anybody had luck with this . |
|
@chintanhshah I'm doing some spring clean up and came across this issue, sorry for not answering before. Look-around features are not implemented in YARA because its regexp engine is not recursive and doesn't do backtracking. The advantage of this approach is that the running time doesn't blow up exponentially with certain regexps, but the drawback is that some features usually implemented by recursive regexp engines can't be implemented or are more complicated to implement. Regarding your use case I believe you want to detect dumps where some of the ssdt hooks point to a function not starting with "nt" or "win". What about this? This rule tries to find the regexp with and without the "nt" or "win" strings, and make sure that both regexp match at the same offsets, if this doesn't happens the rule matches. It solves your problem? |
|
Oh that sounds like a good logic . I will definitely check this out today . Thanks a lot for your response and help .. |
|
@plusvic 's solution does not work for me. |
Hi ,
Just wanted to point out that Yara 3.4 does not accept the regex having negative lookahead . It throws exceptions on invalid characters . Following is the regex that I am trying to use :
([^\=]*)0x[a-f0-9]{1,3}\s0x[a-f0-9]{8}\s(?!nt|win)
Above regex I was apparently attempting to match the line not having either "nt" or "win" after the space character . While compiling the rule, it throws following error .
error: invalid regular expression "$nt_ssdt": syntax error, unexpected '?'
Please suggest any alternative way of writing negative lookahead regex or fix the issue.
The text was updated successfully, but these errors were encountered: