File indexing completed on 2025-02-02 03:54:48 

0001 <!DOCTYPE html>
0002 <html><head>
0003 <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
0004 <title>test.yara</title>
0005 <meta name="generator" content="KF5::SyntaxHighlighting - Definition (YARA) - Theme (Breeze Dark)"/>
0006 </head><body style="background-color:#232629;color:#cfcfc2"><pre>
0007 <span style="color:#7a7c7d">// Sample YARA file for Syntax Highlighting</span>
0008 <span style="color:#7a7c7d">// Obtained from: https://yara.readthedocs.io/en/stable/writingrules.html</span>
0009 
0010 <span style="color:#7a7c7d">/*</span>
0011 <span style="color:#7a7c7d">    This is a multi-line comment ...</span>
0012 <span style="color:#7a7c7d">*/</span>
0013 
0014 <span style="font-weight:bold">rule</span> <span style="color:#8e44ad">silent_banker</span> : banker
0015 {
0016     <span style="font-weight:bold">meta</span>:
0017         description = <span style="color:#f44f4f">"This is just an example"</span>
0018         threat_level = <span style="color:#f67400">3</span>
0019         in_the_wild = <span style="color:#27aeae;font-weight:bold">true</span>
0020     <span style="font-weight:bold">strings</span>:
0021         <span style="color:#27aeae">$a</span> = {<span style="color:#da4453">6A 40 68 00 30 00 00 6A 14 8D 91</span>}
0022         <span style="color:#27aeae">$b</span> = {<span style="color:#da4453">8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9</span>}
0023         <span style="color:#27aeae">$c</span> = <span style="color:#f44f4f">"UVODFRYSIHLNWPEJXQZAKCBGMT"</span>
0024     <span style="font-weight:bold">condition</span>:
0025         <span style="color:#27aeae">$a</span> <span style="font-weight:bold">or</span> <span style="color:#27aeae">$b</span> <span style="font-weight:bold">or</span> <span style="color:#27aeae">$c</span>
0026 }
0027 
0028 <span style="font-weight:bold">rule</span> <span style="color:#8e44ad">dummy</span>
0029 {
0030     <span style="font-weight:bold">condition</span>:
0031        <span style="color:#27aeae;font-weight:bold">false</span>
0032 }
0033 
0034 <span style="font-weight:bold">rule</span> <span style="color:#8e44ad">ExampleRule</span>
0035 {
0036     <span style="font-weight:bold">strings</span>:
0037         <span style="color:#27aeae">$my_text_string</span> = <span style="color:#f44f4f">"text here"</span>
0038         <span style="color:#27aeae">$my_hex_string</span> = {<span style="color:#da4453"> E2 34 A1 C8 23 FB </span>}
0039 
0040     <span style="font-weight:bold">condition</span>:
0041         <span style="color:#27aeae">$my_text_string</span> <span style="font-weight:bold">or</span> <span style="color:#27aeae">$my_hex_string</span>
0042 }
0043 
0044 <span style="color:#7a7c7d">// Hexadecimal strings</span>
0045 
0046 <span style="font-weight:bold">rule</span> <span style="color:#8e44ad">WildcardExample</span>
0047 {
0048     <span style="font-weight:bold">strings</span>:
0049        <span style="color:#27aeae">$hex_string</span> = {<span style="color:#da4453"> E2 34 ?? C8 A? FB </span>}
0050 
0051     <span style="font-weight:bold">condition</span>:
0052        <span style="color:#27aeae">$hex_string</span>
0053 }
0054 
0055 <span style="font-weight:bold">rule</span> <span style="color:#8e44ad">JumpExample</span>
0056 {
0057         <span style="font-weight:bold">strings</span>:
0058            <span style="color:#27aeae">$hex_string</span> = {<span style="color:#da4453"> F4 23 </span>[<span style="color:#f67400">4</span>-<span style="color:#f67400">6</span>]<span style="color:#da4453"> 62 B4 </span>}
0059 
0060         <span style="font-weight:bold">condition</span>:
0061            <span style="color:#27aeae">$hex_string</span>
0062 }
0063 
0064 <span style="font-weight:bold">rule</span> <span style="color:#8e44ad">AlternativesExample</span>
0065 {
0066     <span style="font-weight:bold">strings</span>:
0067        <span style="color:#27aeae">$hex_string</span> = {<span style="color:#da4453"> F4 23 </span>(<span style="color:#da4453"> 62 B4 </span>|<span style="color:#da4453"> 56 </span>|<span style="color:#da4453"> 45 ?? 67 </span>)<span style="color:#da4453"> 45 </span>}
0068 
0069     <span style="font-weight:bold">condition</span>:
0070        <span style="color:#27aeae">$hex_string</span>
0071 }
0072 
0073 <span style="color:#7a7c7d">// Text strings</span>
0074 
0075 <span style="font-weight:bold">rule</span> <span style="color:#8e44ad">CaseInsensitiveTextExample</span>
0076 {
0077     <span style="font-weight:bold">strings</span>:
0078         <span style="color:#27aeae">$text_string</span> = <span style="color:#f44f4f">"foobar"</span> <span style="font-weight:bold">nocase</span>
0079 
0080     <span style="font-weight:bold">condition</span>:
0081         <span style="color:#27aeae">$text_string</span>
0082 }
0083 
0084 <span style="font-weight:bold">rule</span> <span style="color:#8e44ad">WideCharTextExample</span>
0085 {
0086     <span style="font-weight:bold">strings</span>:
0087         <span style="color:#27aeae">$wide_and_ascii_string</span> = <span style="color:#f44f4f">"Borland"</span> <span style="font-weight:bold">wide</span> <span style="font-weight:bold">ascii</span>
0088 
0089     <span style="font-weight:bold">condition</span>:
0090        <span style="color:#27aeae">$wide_and_ascii_string</span>
0091 }
0092 
0093 <span style="color:#7a7c7d">// XOR strings</span>
0094 
0095 <span style="font-weight:bold">rule</span> <span style="color:#8e44ad">XorExample1</span>
0096 {
0097     <span style="font-weight:bold">strings</span>:
0098         <span style="color:#27aeae">$xor_string</span> = <span style="color:#f44f4f">"This program cannot"</span> <span style="font-weight:bold">xor</span>
0099 
0100     <span style="font-weight:bold">condition</span>:
0101         <span style="color:#27aeae">$xor_string</span>
0102 }
0103 
0104 <span style="font-weight:bold">rule</span> <span style="color:#8e44ad">XorExample2</span>
0105 {
0106     <span style="font-weight:bold">strings</span>:
0107         <span style="color:#27aeae">$xor_string_00</span> = <span style="color:#f44f4f">"This program cannot"</span>
0108         <span style="color:#27aeae">$xor_string_01</span> = <span style="color:#f44f4f">"Uihr!qsnfs`l!b`oonu"</span>
0109         <span style="color:#27aeae">$xor_string_02</span> = <span style="color:#f44f4f">"Vjkq</span><span style="color:#3daee9">\"</span><span style="color:#f44f4f">rpmepco</span><span style="color:#3daee9">\"</span><span style="color:#f44f4f">acllmv"</span>
0110         <span style="color:#7a7c7d">// Repeat for every single byte XOR</span>
0111     <span style="font-weight:bold">condition</span>:
0112         <span style="font-weight:bold">any</span> <span style="font-weight:bold">of</span> <span style="font-weight:bold">them</span>
0113 }
0114 
0115 <span style="font-weight:bold">rule</span> <span style="color:#8e44ad">XorExample3</span>
0116 {
0117     <span style="font-weight:bold">strings</span>:
0118         <span style="color:#27aeae">$xor_string</span> = <span style="color:#f44f4f">"This program cannot"</span> <span style="font-weight:bold">xor</span> <span style="font-weight:bold">wide</span> <span style="font-weight:bold">ascii</span>
0119     <span style="font-weight:bold">condition</span>:
0120         <span style="color:#27aeae">$xor_string</span>
0121 }
0122 
0123 <span style="font-weight:bold">rule</span> <span style="color:#8e44ad">XorExample4</span>
0124 {
0125     <span style="font-weight:bold">strings</span>:
0126         <span style="color:#27aeae">$xor_string_00</span> = <span style="color:#f44f4f">"T</span><span style="color:#3daee9">\x00</span><span style="color:#f44f4f">h</span><span style="color:#3daee9">\x00</span><span style="color:#f44f4f">i</span><span style="color:#3daee9">\x00</span><span style="color:#f44f4f">s</span><span style="color:#3daee9">\x00</span><span style="color:#f44f4f"> </span><span style="color:#3daee9">\x00</span><span style="color:#f44f4f">p</span><span style="color:#3daee9">\x00</span><span style="color:#f44f4f">r</span><span style="color:#3daee9">\x00</span><span style="color:#f44f4f">o</span><span style="color:#3daee9">\x00</span><span style="color:#f44f4f">g</span><span style="color:#3daee9">\x00</span><span style="color:#f44f4f">r</span><span style="color:#3daee9">\x00</span><span style="color:#f44f4f">a</span><span style="color:#3daee9">\x00</span><span style="color:#f44f4f">m</span><span style="color:#3daee9">\x00</span><span style="color:#f44f4f"> </span><span style="color:#3daee9">\x00</span><span style="color:#f44f4f">c</span><span style="color:#3daee9">\x00</span><span style="color:#f44f4f">a</span><span style="color:#3daee9">\x00</span><span style="color:#f44f4f">n</span><span style="color:#3daee9">\x00</span><span style="color:#f44f4f">n</span><span style="color:#3daee9">\x00</span><span style="color:#f44f4f">o</span><span style="color:#3daee9">\x00</span><span style="color:#f44f4f">t</span><span style="color:#3daee9">\x00</span><span style="color:#f44f4f">"</span>
0127         <span style="color:#27aeae">$xor_string_01</span> = <span style="color:#f44f4f">"U</span><span style="color:#3daee9">\x01</span><span style="color:#f44f4f">i</span><span style="color:#3daee9">\x01</span><span style="color:#f44f4f">h</span><span style="color:#3daee9">\x01</span><span style="color:#f44f4f">r</span><span style="color:#3daee9">\x01</span><span style="color:#f44f4f">!</span><span style="color:#3daee9">\x01</span><span style="color:#f44f4f">q</span><span style="color:#3daee9">\x01</span><span style="color:#f44f4f">s</span><span style="color:#3daee9">\x01</span><span style="color:#f44f4f">n</span><span style="color:#3daee9">\x01</span><span style="color:#f44f4f">f</span><span style="color:#3daee9">\x01</span><span style="color:#f44f4f">s</span><span style="color:#3daee9">\x01</span><span style="color:#f44f4f">`</span><span style="color:#3daee9">\x01</span><span style="color:#f44f4f">l</span><span style="color:#3daee9">\x01</span><span style="color:#f44f4f">!</span><span style="color:#3daee9">\x01</span><span style="color:#f44f4f">b</span><span style="color:#3daee9">\x01</span><span style="color:#f44f4f">`</span><span style="color:#3daee9">\x01</span><span style="color:#f44f4f">o</span><span style="color:#3daee9">\x01</span><span style="color:#f44f4f">o</span><span style="color:#3daee9">\x01</span><span style="color:#f44f4f">n</span><span style="color:#3daee9">\x01</span><span style="color:#f44f4f">u</span><span style="color:#3daee9">\x01</span><span style="color:#f44f4f">"</span>
0128         <span style="color:#27aeae">$xor_string_02</span> = <span style="color:#f44f4f">"V</span><span style="color:#3daee9">\x02</span><span style="color:#f44f4f">j</span><span style="color:#3daee9">\x02</span><span style="color:#f44f4f">k</span><span style="color:#3daee9">\x02</span><span style="color:#f44f4f">q</span><span style="color:#3daee9">\x02\"\x02</span><span style="color:#f44f4f">r</span><span style="color:#3daee9">\x02</span><span style="color:#f44f4f">p</span><span style="color:#3daee9">\x02</span><span style="color:#f44f4f">m</span><span style="color:#3daee9">\x02</span><span style="color:#f44f4f">e</span><span style="color:#3daee9">\x02</span><span style="color:#f44f4f">p</span><span style="color:#3daee9">\x02</span><span style="color:#f44f4f">c</span><span style="color:#3daee9">\x02</span><span style="color:#f44f4f">o</span><span style="color:#3daee9">\x02\"\x02</span><span style="color:#f44f4f">a</span><span style="color:#3daee9">\x02</span><span style="color:#f44f4f">c</span><span style="color:#3daee9">\x02</span><span style="color:#f44f4f">l</span><span style="color:#3daee9">\x02</span><span style="color:#f44f4f">l</span><span style="color:#3daee9">\x02</span><span style="color:#f44f4f">m</span><span style="color:#3daee9">\x02</span><span style="color:#f44f4f">v</span><span style="color:#3daee9">\x02</span><span style="color:#f44f4f">"</span>
0129         <span style="color:#7a7c7d">// Repeat for every single byte XOR operation.</span>
0130     <span style="font-weight:bold">condition</span>:
0131         <span style="font-weight:bold">any</span> <span style="font-weight:bold">of</span> <span style="font-weight:bold">them</span>
0132 }
0133 
0134 <span style="font-weight:bold">rule</span> <span style="color:#8e44ad">XorExample5</span>
0135 {
0136     <span style="font-weight:bold">strings</span>:
0137         <span style="color:#27aeae">$xor_string</span> = <span style="color:#f44f4f">"This program cannot"</span> <span style="font-weight:bold">xor</span>(<span style="color:#f67400">0x01</span>-<span style="color:#f67400">0xff</span>)
0138     <span style="font-weight:bold">condition</span>:
0139         <span style="color:#27aeae">$xor_string</span>
0140 }
0141 
0142 <span style="color:#7a7c7d">// Base64 strings</span>
0143 
0144 <span style="font-weight:bold">rule</span> <span style="color:#8e44ad">Base64Example1</span>
0145 {
0146     <span style="font-weight:bold">strings</span>:
0147         <span style="color:#27aeae">$a</span> = <span style="color:#f44f4f">"This program cannot"</span> <span style="font-weight:bold">base64</span>
0148 
0149     <span style="font-weight:bold">condition</span>:
0150         <span style="color:#27aeae">$a</span>
0151 }
0152 
0153 <span style="font-weight:bold">rule</span> <span style="color:#8e44ad">Base64Example2</span>
0154 {
0155     <span style="font-weight:bold">strings</span>:
0156         <span style="color:#27aeae">$a</span> = <span style="color:#f44f4f">"This program cannot"</span> <span style="font-weight:bold">base64</span>(<span style="color:#f44f4f">"!@#$%^&amp;*(){}[].,|ABCDEFGHIJ</span><span style="color:#3daee9">\x09</span><span style="color:#f44f4f">LMNOPQRSTUVWXYZabcdefghijklmnopqrstu"</span>)
0157 
0158     <span style="font-weight:bold">condition</span>:
0159         <span style="color:#27aeae">$a</span>
0160 }
0161 
0162 <span style="color:#7a7c7d">// Regular expressions</span>
0163 
0164 <span style="font-weight:bold">rule</span> <span style="color:#8e44ad">RegExpExample1</span>
0165 {
0166     <span style="font-weight:bold">strings</span>:
0167         <span style="color:#27aeae">$re1</span> = <span style="color:#da4453">/</span><span style="color:#da4453">md5: </span><span style="color:#3daee9">[0-9a-fA-F]</span><span style="color:#3daee9">{32}</span><span style="color:#da4453">/</span>
0168         <span style="color:#27aeae">$re2</span> = <span style="color:#da4453">/</span><span style="color:#da4453">state: </span><span style="color:#3daee9">(</span><span style="color:#da4453">on</span><span style="color:#3daee9">|</span><span style="color:#da4453">off</span><span style="color:#3daee9">)</span><span style="color:#da4453">/</span>
0169 
0170     <span style="font-weight:bold">condition</span>:
0171         <span style="color:#27aeae">$re1</span> <span style="font-weight:bold">and</span> <span style="color:#27aeae">$re2</span>
0172 }
0173 
0174 <span style="color:#7a7c7d">// Conditions</span>
0175 
0176 <span style="font-weight:bold">rule</span> <span style="color:#8e44ad">Example</span>
0177 {
0178     <span style="font-weight:bold">strings</span>:
0179         <span style="color:#27aeae">$a</span> = <span style="color:#f44f4f">"text1"</span>
0180         <span style="color:#27aeae">$b</span> = <span style="color:#f44f4f">"text2"</span>
0181         <span style="color:#27aeae">$c</span> = <span style="color:#f44f4f">"text3"</span>
0182         <span style="color:#27aeae">$d</span> = <span style="color:#f44f4f">"text4"</span>
0183 
0184     <span style="font-weight:bold">condition</span>:
0185         (<span style="color:#27aeae">$a</span> <span style="font-weight:bold">or</span> <span style="color:#27aeae">$b</span>) <span style="font-weight:bold">and</span> (<span style="color:#27aeae">$c</span> <span style="font-weight:bold">or</span> <span style="color:#27aeae">$d</span>)
0186 }
0187 
0188 <span style="font-weight:bold">rule</span> <span style="color:#8e44ad">CountExample</span>
0189 {
0190     <span style="font-weight:bold">strings</span>:
0191         <span style="color:#27aeae">$a</span> = <span style="color:#f44f4f">"dummy1"</span>
0192         <span style="color:#27aeae">$b</span> = <span style="color:#f44f4f">"dummy2"</span>
0193 
0194     <span style="font-weight:bold">condition</span>:
0195         #a == <span style="color:#f67400">6</span> <span style="font-weight:bold">and</span> #b > <span style="color:#f67400">10</span>
0196 }
0197 
0198 
0199 <span style="font-weight:bold">rule</span> <span style="color:#8e44ad">AtExample</span>
0200 {
0201     <span style="font-weight:bold">strings</span>:
0202         <span style="color:#27aeae">$a</span> = <span style="color:#f44f4f">"dummy1"</span>
0203         <span style="color:#27aeae">$b</span> = <span style="color:#f44f4f">"dummy2"</span>
0204 
0205     <span style="font-weight:bold">condition</span>:
0206         <span style="color:#27aeae">$a</span> <span style="font-weight:bold">at</span> <span style="color:#f67400">100</span> <span style="font-weight:bold">and</span> <span style="color:#27aeae">$b</span> <span style="font-weight:bold">at</span> <span style="color:#f67400">200</span>
0207 }
0208 
0209 <span style="font-weight:bold">rule</span> <span style="color:#8e44ad">InExample</span>
0210 {
0211     <span style="font-weight:bold">strings</span>:
0212         <span style="color:#27aeae">$a</span> = <span style="color:#f44f4f">"dummy1"</span>
0213         <span style="color:#27aeae">$b</span> = <span style="color:#f44f4f">"dummy2"</span>
0214 
0215     <span style="font-weight:bold">condition</span>:
0216         <span style="color:#27aeae">$a</span> <span style="font-weight:bold">in</span> (<span style="color:#f67400">0..100</span>) <span style="font-weight:bold">and</span> <span style="color:#27aeae">$b</span> <span style="font-weight:bold">in</span> (<span style="color:#f67400">100.</span>.<span style="font-weight:bold">filesize</span>)
0217 }
0218 
0219 <span style="color:#7a7c7d">// File size</span>
0220 
0221 <span style="font-weight:bold">rule</span> <span style="color:#8e44ad">FileSizeExample</span>
0222 {
0223     <span style="font-weight:bold">condition</span>:
0224        <span style="font-weight:bold">filesize</span> > <span style="color:#f67400">200</span>KB
0225 }
0226 
0227 <span style="color:#7a7c7d">// Executable entry point</span>
0228 
0229 <span style="font-weight:bold">rule</span> <span style="color:#8e44ad">EntryPointExample</span>
0230 {
0231     <span style="font-weight:bold">strings</span>:
0232         <span style="color:#27aeae">$a</span> = {<span style="color:#da4453"> 9C 50 66 A1 ?? ?? ?? 00 66 A9 ?? ?? 58 0F 85 </span>}
0233 
0234     <span style="font-weight:bold">condition</span>:
0235        <span style="color:#27aeae">$a</span> <span style="font-weight:bold">in</span> (<span style="font-weight:bold">entrypoint</span>..<span style="font-weight:bold">entrypoint</span> + <span style="color:#f67400">10</span>)
0236 }
0237 
0238 
0239 <span style="color:#7a7c7d">// Accessing data at a given position</span>
0240 
0241 <span style="font-weight:bold">rule</span> <span style="color:#8e44ad">IsPE</span>
0242 {
0243   <span style="font-weight:bold">condition</span>:
0244      <span style="color:#7a7c7d">// MZ signature at offset 0 and ...</span>
0245      <span style="font-weight:bold">uint16</span>(<span style="color:#f67400">0</span>) == <span style="color:#f67400">0x5A4D</span> <span style="font-weight:bold">and</span>
0246      <span style="color:#7a7c7d">// ... PE signature at offset stored in MZ header at 0x3C</span>
0247      <span style="font-weight:bold">uint32</span>(<span style="font-weight:bold">uint32</span>(<span style="color:#f67400">0x3C</span>)) == <span style="color:#f67400">0x00004550</span>
0248 }
0249 
0250 <span style="color:#7a7c7d">// Sets of strings</span>
0251 
0252 <span style="font-weight:bold">rule</span> <span style="color:#8e44ad">OfExample1</span>
0253 {
0254     <span style="font-weight:bold">strings</span>:
0255         <span style="color:#27aeae">$a</span> = <span style="color:#f44f4f">"dummy1"</span>
0256         <span style="color:#27aeae">$b</span> = <span style="color:#f44f4f">"dummy2"</span>
0257         <span style="color:#27aeae">$c</span> = <span style="color:#f44f4f">"dummy3"</span>
0258 
0259     <span style="font-weight:bold">condition</span>:
0260         <span style="color:#f67400">2</span> <span style="font-weight:bold">of</span> (<span style="color:#27aeae">$a</span>,<span style="color:#27aeae">$b</span>,<span style="color:#27aeae">$c</span>)
0261 }
0262 
0263 <span style="font-weight:bold">rule</span> <span style="color:#8e44ad">OfExample2</span>
0264 {
0265     <span style="font-weight:bold">strings</span>:
0266         <span style="color:#27aeae">$foo1</span> = <span style="color:#f44f4f">"foo1"</span>
0267         <span style="color:#27aeae">$foo2</span> = <span style="color:#f44f4f">"foo2"</span>
0268         <span style="color:#27aeae">$foo3</span> = <span style="color:#f44f4f">"foo3"</span>
0269 
0270     <span style="font-weight:bold">condition</span>:
0271         <span style="color:#f67400">2</span> <span style="font-weight:bold">of</span> (<span style="color:#27aeae">$foo</span>*)  <span style="color:#7a7c7d">// equivalent to 2 of ($foo1,$foo2,$foo3)</span>
0272 }
0273 
0274 <span style="font-weight:bold">rule</span> <span style="color:#8e44ad">OfExample3</span>
0275 {
0276     <span style="font-weight:bold">strings</span>:
0277         <span style="color:#27aeae">$a</span> = <span style="color:#f44f4f">"dummy1"</span>
0278         <span style="color:#27aeae">$b</span> = <span style="color:#f44f4f">"dummy2"</span>
0279         <span style="color:#27aeae">$c</span> = <span style="color:#f44f4f">"dummy3"</span>
0280 
0281     <span style="font-weight:bold">condition</span>:
0282         <span style="color:#f67400">1</span> <span style="font-weight:bold">of</span> <span style="font-weight:bold">them</span> <span style="color:#7a7c7d">// equivalent to 1 of ($*)</span>
0283 }
0284 
0285 <span style="color:#7a7c7d">// Iterating over string occurrences</span>
0286 
0287 <span style="font-weight:bold">rule</span> <span style="color:#8e44ad">Occurrences</span>
0288 {
0289     <span style="font-weight:bold">strings</span>:
0290         <span style="color:#27aeae">$a</span> = <span style="color:#f44f4f">"dummy1"</span>
0291         <span style="color:#27aeae">$b</span> = <span style="color:#f44f4f">"dummy2"</span>
0292 
0293     <span style="font-weight:bold">condition</span>:
0294         <span style="font-weight:bold">for</span> <span style="font-weight:bold">all</span> i <span style="font-weight:bold">in</span> (<span style="color:#f67400">1</span>,<span style="color:#f67400">2</span>,<span style="color:#f67400">3</span>) : ( @a[i] + <span style="color:#f67400">10</span> == @b[i] )
0295 }
0296 
0297 <span style="color:#7a7c7d">// Referencing other rules</span>
0298 
0299 <span style="font-weight:bold">rule</span> <span style="color:#8e44ad">Rule1</span>
0300 {
0301     <span style="font-weight:bold">strings</span>:
0302         <span style="color:#27aeae">$a</span> = <span style="color:#f44f4f">"dummy1"</span>
0303 
0304     <span style="font-weight:bold">condition</span>:
0305         <span style="color:#27aeae">$a</span>
0306 }
0307 
0308 <span style="font-weight:bold">rule</span> <span style="color:#8e44ad">Rule2</span>
0309 {
0310     <span style="font-weight:bold">strings</span>:
0311         <span style="color:#27aeae">$a</span> = <span style="color:#f44f4f">"dummy2"</span>
0312 
0313     <span style="font-weight:bold">condition</span>:
0314         <span style="color:#27aeae">$a</span> <span style="font-weight:bold">and</span> Rule1
0315 }
0316 
0317 <span style="color:#7a7c7d">// Metadata</span>
0318 
0319 <span style="font-weight:bold">rule</span> <span style="color:#8e44ad">MetadataExample</span>
0320 {
0321     <span style="font-weight:bold">meta</span>:
0322         my_identifier_1 = <span style="color:#f44f4f">"Some string data"</span>
0323         my_identifier_2 = <span style="color:#f67400">24</span>
0324         my_identifier_3 = <span style="color:#27aeae;font-weight:bold">true</span>
0325 
0326     <span style="font-weight:bold">strings</span>:
0327         <span style="color:#27aeae">$my_text_string</span> = <span style="color:#f44f4f">"text here"</span>
0328         <span style="color:#27aeae">$my_hex_string</span> = {<span style="color:#da4453"> E2 34 A1 C8 23 FB </span>}
0329 
0330     <span style="font-weight:bold">condition</span>:
0331         <span style="color:#27aeae">$my_text_string</span> <span style="font-weight:bold">or</span> <span style="color:#27aeae">$my_hex_string</span>
0332 }
0333 
0334 <span style="color:#7a7c7d">// External variables</span>
0335 
0336 <span style="font-weight:bold">rule</span> <span style="color:#8e44ad">ExternalVariableExample1</span>
0337 {
0338     <span style="font-weight:bold">condition</span>:
0339        ext_var == <span style="color:#f67400">10</span>
0340 }
0341 
0342 <span style="font-weight:bold">rule</span> <span style="color:#8e44ad">ExternalVariableExample2</span>
0343 {
0344     <span style="font-weight:bold">condition</span>:
0345        bool_ext_var <span style="font-weight:bold">or</span> <span style="font-weight:bold">filesize</span> &lt; int_ext_var
0346 }
0347 
0348 <span style="font-weight:bold">rule</span> <span style="color:#8e44ad">ExternalVariableExample3</span>
0349 {
0350     <span style="font-weight:bold">condition</span>:
0351         string_ext_var <span style="font-weight:bold">contains</span> <span style="color:#f44f4f">"text"</span>
0352 }
0353 
0354 <span style="font-weight:bold">rule</span> <span style="color:#8e44ad">ExternalVariableExample4</span>
0355 {
0356     <span style="font-weight:bold">condition</span>:
0357         string_ext_var <span style="font-weight:bold">matches</span> <span style="color:#da4453">/</span><span style="color:#3daee9">[a-z]</span><span style="color:#3daee9">+</span><span style="color:#da4453">/</span>
0358 }
0359 
0360 <span style="font-weight:bold">rule</span> <span style="color:#8e44ad">ExternalVariableExample5</span>
0361 {
0362     <span style="font-weight:bold">condition</span>:
0363         <span style="color:#7a7c7d">/* case insensitive single-line mode */</span>
0364         string_ext_var <span style="font-weight:bold">matches</span> <span style="color:#da4453">/</span><span style="color:#3daee9">[a-z]</span><span style="color:#3daee9">+</span><span style="color:#da4453">/is</span>
0365 }
0366 
0367 <span style="color:#7a7c7d">// Including files</span>
0368 
0369 <span style="font-weight:bold">include</span> <span style="color:#f44f4f">"other.yar"</span>
0370 <span style="font-weight:bold">include</span> <span style="color:#f44f4f">"./includes/other.yar"</span>
0371 <span style="font-weight:bold">include</span> <span style="color:#f44f4f">"../includes/other.yar"</span>
0372 </pre></body></html>