[clamav-users] yara #match does not work with regex
Kevin Lin
klin at sourcefire.com
Thu Apr 14 14:53:54 UTC 2016
In order to minimize the amount of regex execution in ClamAV, regex
signatures are usually run until the first match is detected. This means
that counting regex matches do not work in the general case.
The ClamAV ldb signatures have a custom flag 'g' which specifies to the
engine to find all matches of the affected regex signature; yara signatures
unfortunately do not have such an option at this time.
-Kevin
On Wed, Apr 13, 2016 at 7:27 PM, David Shrimpton <d.shrimpton at its.uq.edu.au>
wrote:
> Using #match as a condition in a yara rule to
> count the occurences of $match doesn't appear to
> work where $match is a regex.
> #match only appears to work if $match is a string literal
> eg "abc123"
>
> Is #match intended to work with a regex ?
>
> --
> David Shrimpton
> _______________________________________________
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
More information about the clamav-users
mailing list