Warning, file /frameworks/syntax-highlighting/autotests/html/test.yara.dark.html was not indexed or was modified since last indexation (in which case cross-reference links may be missing, inaccurate or erroneous).
0001 <!DOCTYPE html> 0002 <html><head> 0003 <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/> 0004 <title>test.yara</title> 0005 <meta name="generator" content="KF5::SyntaxHighlighting - Definition (YARA) - Theme (Breeze Dark)"/> 0006 </head><body style="background-color:#232629;color:#cfcfc2"><pre> 0007 <span style="color:#7a7c7d;">// Sample YARA file for Syntax Highlighting</span> 0008 <span style="color:#7a7c7d;">// Obtained from: https://yara.readthedocs.io/en/stable/writingrules.html</span> 0009 0010 <span style="color:#7a7c7d;">/*</span> 0011 <span style="color:#7a7c7d;"> This is a multi-line comment ...</span> 0012 <span style="color:#7a7c7d;">*/</span> 0013 0014 <span style="font-weight:bold;">rule</span> <span style="color:#8e44ad;">silent_banker</span> : banker 0015 { 0016 <span style="font-weight:bold;">meta</span>: 0017 description = <span style="color:#f44f4f;">"This is just an example"</span> 0018 threat_level = <span style="color:#f67400;">3</span> 0019 in_the_wild = <span style="color:#27aeae;font-weight:bold;">true</span> 0020 <span style="font-weight:bold;">strings</span>: 0021 <span style="color:#27aeae;">$a</span> = {<span style="color:#da4453;">6A 40 68 00 30 00 00 6A 14 8D 91</span>} 0022 <span style="color:#27aeae;">$b</span> = {<span style="color:#da4453;">8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9</span>} 0023 <span style="color:#27aeae;">$c</span> = <span style="color:#f44f4f;">"UVODFRYSIHLNWPEJXQZAKCBGMT"</span> 0024 <span style="font-weight:bold;">condition</span>: 0025 <span style="color:#27aeae;">$a</span> <span style="font-weight:bold;">or</span> <span style="color:#27aeae;">$b</span> <span style="font-weight:bold;">or</span> <span style="color:#27aeae;">$c</span> 0026 } 0027 0028 <span style="font-weight:bold;">rule</span> <span style="color:#8e44ad;">dummy</span> 0029 { 0030 <span style="font-weight:bold;">condition</span>: 0031 <span style="color:#27aeae;font-weight:bold;">false</span> 0032 } 0033 0034 <span style="font-weight:bold;">rule</span> <span style="color:#8e44ad;">ExampleRule</span> 0035 { 0036 <span style="font-weight:bold;">strings</span>: 0037 <span style="color:#27aeae;">$my_text_string</span> = <span style="color:#f44f4f;">"text here"</span> 0038 <span style="color:#27aeae;">$my_hex_string</span> = {<span style="color:#da4453;"> E2 34 A1 C8 23 FB </span>} 0039 0040 <span style="font-weight:bold;">condition</span>: 0041 <span style="color:#27aeae;">$my_text_string</span> <span style="font-weight:bold;">or</span> <span style="color:#27aeae;">$my_hex_string</span> 0042 } 0043 0044 <span style="color:#7a7c7d;">// Hexadecimal strings</span> 0045 0046 <span style="font-weight:bold;">rule</span> <span style="color:#8e44ad;">WildcardExample</span> 0047 { 0048 <span style="font-weight:bold;">strings</span>: 0049 <span style="color:#27aeae;">$hex_string</span> = {<span style="color:#da4453;"> E2 34 ?? C8 A? FB </span>} 0050 0051 <span style="font-weight:bold;">condition</span>: 0052 <span style="color:#27aeae;">$hex_string</span> 0053 } 0054 0055 <span style="font-weight:bold;">rule</span> <span style="color:#8e44ad;">JumpExample</span> 0056 { 0057 <span style="font-weight:bold;">strings</span>: 0058 <span style="color:#27aeae;">$hex_string</span> = {<span style="color:#da4453;"> F4 23 </span>[<span style="color:#f67400;">4</span>-<span style="color:#f67400;">6</span>]<span style="color:#da4453;"> 62 B4 </span>} 0059 0060 <span style="font-weight:bold;">condition</span>: 0061 <span style="color:#27aeae;">$hex_string</span> 0062 } 0063 0064 <span style="font-weight:bold;">rule</span> <span style="color:#8e44ad;">AlternativesExample</span> 0065 { 0066 <span style="font-weight:bold;">strings</span>: 0067 <span style="color:#27aeae;">$hex_string</span> = {<span style="color:#da4453;"> F4 23 </span>(<span style="color:#da4453;"> 62 B4 </span>|<span style="color:#da4453;"> 56 </span>|<span style="color:#da4453;"> 45 ?? 67 </span>)<span style="color:#da4453;"> 45 </span>} 0068 0069 <span style="font-weight:bold;">condition</span>: 0070 <span style="color:#27aeae;">$hex_string</span> 0071 } 0072 0073 <span style="color:#7a7c7d;">// Text strings</span> 0074 0075 <span style="font-weight:bold;">rule</span> <span style="color:#8e44ad;">CaseInsensitiveTextExample</span> 0076 { 0077 <span style="font-weight:bold;">strings</span>: 0078 <span style="color:#27aeae;">$text_string</span> = <span style="color:#f44f4f;">"foobar"</span> <span style="font-weight:bold;">nocase</span> 0079 0080 <span style="font-weight:bold;">condition</span>: 0081 <span style="color:#27aeae;">$text_string</span> 0082 } 0083 0084 <span style="font-weight:bold;">rule</span> <span style="color:#8e44ad;">WideCharTextExample</span> 0085 { 0086 <span style="font-weight:bold;">strings</span>: 0087 <span style="color:#27aeae;">$wide_and_ascii_string</span> = <span style="color:#f44f4f;">"Borland"</span> <span style="font-weight:bold;">wide</span> <span style="font-weight:bold;">ascii</span> 0088 0089 <span style="font-weight:bold;">condition</span>: 0090 <span style="color:#27aeae;">$wide_and_ascii_string</span> 0091 } 0092 0093 <span style="color:#7a7c7d;">// XOR strings</span> 0094 0095 <span style="font-weight:bold;">rule</span> <span style="color:#8e44ad;">XorExample1</span> 0096 { 0097 <span style="font-weight:bold;">strings</span>: 0098 <span style="color:#27aeae;">$xor_string</span> = <span style="color:#f44f4f;">"This program cannot"</span> <span style="font-weight:bold;">xor</span> 0099 0100 <span style="font-weight:bold;">condition</span>: 0101 <span style="color:#27aeae;">$xor_string</span> 0102 } 0103 0104 <span style="font-weight:bold;">rule</span> <span style="color:#8e44ad;">XorExample2</span> 0105 { 0106 <span style="font-weight:bold;">strings</span>: 0107 <span style="color:#27aeae;">$xor_string_00</span> = <span style="color:#f44f4f;">"This program cannot"</span> 0108 <span style="color:#27aeae;">$xor_string_01</span> = <span style="color:#f44f4f;">"Uihr!qsnfs`l!b`oonu"</span> 0109 <span style="color:#27aeae;">$xor_string_02</span> = <span style="color:#f44f4f;">"Vjkq</span><span style="color:#3daee9;">\"</span><span style="color:#f44f4f;">rpmepco</span><span style="color:#3daee9;">\"</span><span style="color:#f44f4f;">acllmv"</span> 0110 <span style="color:#7a7c7d;">// Repeat for every single byte XOR</span> 0111 <span style="font-weight:bold;">condition</span>: 0112 <span style="font-weight:bold;">any</span> <span style="font-weight:bold;">of</span> <span style="font-weight:bold;">them</span> 0113 } 0114 0115 <span style="font-weight:bold;">rule</span> <span style="color:#8e44ad;">XorExample3</span> 0116 { 0117 <span style="font-weight:bold;">strings</span>: 0118 <span style="color:#27aeae;">$xor_string</span> = <span style="color:#f44f4f;">"This program cannot"</span> <span style="font-weight:bold;">xor</span> <span style="font-weight:bold;">wide</span> <span style="font-weight:bold;">ascii</span> 0119 <span style="font-weight:bold;">condition</span>: 0120 <span style="color:#27aeae;">$xor_string</span> 0121 } 0122 0123 <span style="font-weight:bold;">rule</span> <span style="color:#8e44ad;">XorExample4</span> 0124 { 0125 <span style="font-weight:bold;">strings</span>: 0126 <span style="color:#27aeae;">$xor_string_00</span> = <span style="color:#f44f4f;">"T</span><span style="color:#3daee9;">\x00</span><span style="color:#f44f4f;">h</span><span style="color:#3daee9;">\x00</span><span style="color:#f44f4f;">i</span><span style="color:#3daee9;">\x00</span><span style="color:#f44f4f;">s</span><span style="color:#3daee9;">\x00</span><span style="color:#f44f4f;"> </span><span style="color:#3daee9;">\x00</span><span style="color:#f44f4f;">p</span><span style="color:#3daee9;">\x00</span><span style="color:#f44f4f;">r</span><span style="color:#3daee9;">\x00</span><span style="color:#f44f4f;">o</span><span style="color:#3daee9;">\x00</span><span style="color:#f44f4f;">g</span><span style="color:#3daee9;">\x00</span><span style="color:#f44f4f;">r</span><span style="color:#3daee9;">\x00</span><span style="color:#f44f4f;">a</span><span style="color:#3daee9;">\x00</span><span style="color:#f44f4f;">m</span><span style="color:#3daee9;">\x00</span><span style="color:#f44f4f;"> </span><span style="color:#3daee9;">\x00</span><span style="color:#f44f4f;">c</span><span style="color:#3daee9;">\x00</span><span style="color:#f44f4f;">a</span><span style="color:#3daee9;">\x00</span><span style="color:#f44f4f;">n</span><span style="color:#3daee9;">\x00</span><span style="color:#f44f4f;">n</span><span style="color:#3daee9;">\x00</span><span style="color:#f44f4f;">o</span><span style="color:#3daee9;">\x00</span><span style="color:#f44f4f;">t</span><span style="color:#3daee9;">\x00</span><span style="color:#f44f4f;">"</span> 0127 <span style="color:#27aeae;">$xor_string_01</span> = <span style="color:#f44f4f;">"U</span><span style="color:#3daee9;">\x01</span><span style="color:#f44f4f;">i</span><span style="color:#3daee9;">\x01</span><span style="color:#f44f4f;">h</span><span style="color:#3daee9;">\x01</span><span style="color:#f44f4f;">r</span><span style="color:#3daee9;">\x01</span><span style="color:#f44f4f;">!</span><span style="color:#3daee9;">\x01</span><span style="color:#f44f4f;">q</span><span style="color:#3daee9;">\x01</span><span style="color:#f44f4f;">s</span><span style="color:#3daee9;">\x01</span><span style="color:#f44f4f;">n</span><span style="color:#3daee9;">\x01</span><span style="color:#f44f4f;">f</span><span style="color:#3daee9;">\x01</span><span style="color:#f44f4f;">s</span><span style="color:#3daee9;">\x01</span><span style="color:#f44f4f;">`</span><span style="color:#3daee9;">\x01</span><span style="color:#f44f4f;">l</span><span style="color:#3daee9;">\x01</span><span style="color:#f44f4f;">!</span><span style="color:#3daee9;">\x01</span><span style="color:#f44f4f;">b</span><span style="color:#3daee9;">\x01</span><span style="color:#f44f4f;">`</span><span style="color:#3daee9;">\x01</span><span style="color:#f44f4f;">o</span><span style="color:#3daee9;">\x01</span><span style="color:#f44f4f;">o</span><span style="color:#3daee9;">\x01</span><span style="color:#f44f4f;">n</span><span style="color:#3daee9;">\x01</span><span style="color:#f44f4f;">u</span><span style="color:#3daee9;">\x01</span><span style="color:#f44f4f;">"</span> 0128 <span style="color:#27aeae;">$xor_string_02</span> = <span style="color:#f44f4f;">"V</span><span style="color:#3daee9;">\x02</span><span style="color:#f44f4f;">j</span><span style="color:#3daee9;">\x02</span><span style="color:#f44f4f;">k</span><span style="color:#3daee9;">\x02</span><span style="color:#f44f4f;">q</span><span style="color:#3daee9;">\x02\"\x02</span><span style="color:#f44f4f;">r</span><span style="color:#3daee9;">\x02</span><span style="color:#f44f4f;">p</span><span style="color:#3daee9;">\x02</span><span style="color:#f44f4f;">m</span><span style="color:#3daee9;">\x02</span><span style="color:#f44f4f;">e</span><span style="color:#3daee9;">\x02</span><span style="color:#f44f4f;">p</span><span style="color:#3daee9;">\x02</span><span style="color:#f44f4f;">c</span><span style="color:#3daee9;">\x02</span><span style="color:#f44f4f;">o</span><span style="color:#3daee9;">\x02\"\x02</span><span style="color:#f44f4f;">a</span><span style="color:#3daee9;">\x02</span><span style="color:#f44f4f;">c</span><span style="color:#3daee9;">\x02</span><span style="color:#f44f4f;">l</span><span style="color:#3daee9;">\x02</span><span style="color:#f44f4f;">l</span><span style="color:#3daee9;">\x02</span><span style="color:#f44f4f;">m</span><span style="color:#3daee9;">\x02</span><span style="color:#f44f4f;">v</span><span style="color:#3daee9;">\x02</span><span style="color:#f44f4f;">"</span> 0129 <span style="color:#7a7c7d;">// Repeat for every single byte XOR operation.</span> 0130 <span style="font-weight:bold;">condition</span>: 0131 <span style="font-weight:bold;">any</span> <span style="font-weight:bold;">of</span> <span style="font-weight:bold;">them</span> 0132 } 0133 0134 <span style="font-weight:bold;">rule</span> <span style="color:#8e44ad;">XorExample5</span> 0135 { 0136 <span style="font-weight:bold;">strings</span>: 0137 <span style="color:#27aeae;">$xor_string</span> = <span style="color:#f44f4f;">"This program cannot"</span> <span style="font-weight:bold;">xor</span>(<span style="color:#f67400;">0x01</span>-<span style="color:#f67400;">0xff</span>) 0138 <span style="font-weight:bold;">condition</span>: 0139 <span style="color:#27aeae;">$xor_string</span> 0140 } 0141 0142 <span style="color:#7a7c7d;">// Base64 strings</span> 0143 0144 <span style="font-weight:bold;">rule</span> <span style="color:#8e44ad;">Base64Example1</span> 0145 { 0146 <span style="font-weight:bold;">strings</span>: 0147 <span style="color:#27aeae;">$a</span> = <span style="color:#f44f4f;">"This program cannot"</span> <span style="font-weight:bold;">base64</span> 0148 0149 <span style="font-weight:bold;">condition</span>: 0150 <span style="color:#27aeae;">$a</span> 0151 } 0152 0153 <span style="font-weight:bold;">rule</span> <span style="color:#8e44ad;">Base64Example2</span> 0154 { 0155 <span style="font-weight:bold;">strings</span>: 0156 <span style="color:#27aeae;">$a</span> = <span style="color:#f44f4f;">"This program cannot"</span> <span style="font-weight:bold;">base64</span>(<span style="color:#f44f4f;">"!@#$%^&*(){}[].,|ABCDEFGHIJ</span><span style="color:#3daee9;">\x09</span><span style="color:#f44f4f;">LMNOPQRSTUVWXYZabcdefghijklmnopqrstu"</span>) 0157 0158 <span style="font-weight:bold;">condition</span>: 0159 <span style="color:#27aeae;">$a</span> 0160 } 0161 0162 <span style="color:#7a7c7d;">// Regular expressions</span> 0163 0164 <span style="font-weight:bold;">rule</span> <span style="color:#8e44ad;">RegExpExample1</span> 0165 { 0166 <span style="font-weight:bold;">strings</span>: 0167 <span style="color:#27aeae;">$re1</span> = <span style="color:#da4453;">/</span><span style="color:#da4453;">md5: </span><span style="color:#3daee9;">[0-9a-fA-F]</span><span style="color:#3daee9;">{32}</span><span style="color:#da4453;">/</span> 0168 <span style="color:#27aeae;">$re2</span> = <span style="color:#da4453;">/</span><span style="color:#da4453;">state: </span><span style="color:#3daee9;">(</span><span style="color:#da4453;">on</span><span style="color:#3daee9;">|</span><span style="color:#da4453;">off</span><span style="color:#3daee9;">)</span><span style="color:#da4453;">/</span> 0169 0170 <span style="font-weight:bold;">condition</span>: 0171 <span style="color:#27aeae;">$re1</span> <span style="font-weight:bold;">and</span> <span style="color:#27aeae;">$re2</span> 0172 } 0173 0174 <span style="color:#7a7c7d;">// Conditions</span> 0175 0176 <span style="font-weight:bold;">rule</span> <span style="color:#8e44ad;">Example</span> 0177 { 0178 <span style="font-weight:bold;">strings</span>: 0179 <span style="color:#27aeae;">$a</span> = <span style="color:#f44f4f;">"text1"</span> 0180 <span style="color:#27aeae;">$b</span> = <span style="color:#f44f4f;">"text2"</span> 0181 <span style="color:#27aeae;">$c</span> = <span style="color:#f44f4f;">"text3"</span> 0182 <span style="color:#27aeae;">$d</span> = <span style="color:#f44f4f;">"text4"</span> 0183 0184 <span style="font-weight:bold;">condition</span>: 0185 (<span style="color:#27aeae;">$a</span> <span style="font-weight:bold;">or</span> <span style="color:#27aeae;">$b</span>) <span style="font-weight:bold;">and</span> (<span style="color:#27aeae;">$c</span> <span style="font-weight:bold;">or</span> <span style="color:#27aeae;">$d</span>) 0186 } 0187 0188 <span style="font-weight:bold;">rule</span> <span style="color:#8e44ad;">CountExample</span> 0189 { 0190 <span style="font-weight:bold;">strings</span>: 0191 <span style="color:#27aeae;">$a</span> = <span style="color:#f44f4f;">"dummy1"</span> 0192 <span style="color:#27aeae;">$b</span> = <span style="color:#f44f4f;">"dummy2"</span> 0193 0194 <span style="font-weight:bold;">condition</span>: 0195 #a == <span style="color:#f67400;">6</span> <span style="font-weight:bold;">and</span> #b > <span style="color:#f67400;">10</span> 0196 } 0197 0198 0199 <span style="font-weight:bold;">rule</span> <span style="color:#8e44ad;">AtExample</span> 0200 { 0201 <span style="font-weight:bold;">strings</span>: 0202 <span style="color:#27aeae;">$a</span> = <span style="color:#f44f4f;">"dummy1"</span> 0203 <span style="color:#27aeae;">$b</span> = <span style="color:#f44f4f;">"dummy2"</span> 0204 0205 <span style="font-weight:bold;">condition</span>: 0206 <span style="color:#27aeae;">$a</span> <span style="font-weight:bold;">at</span> <span style="color:#f67400;">100</span> <span style="font-weight:bold;">and</span> <span style="color:#27aeae;">$b</span> <span style="font-weight:bold;">at</span> <span style="color:#f67400;">200</span> 0207 } 0208 0209 <span style="font-weight:bold;">rule</span> <span style="color:#8e44ad;">InExample</span> 0210 { 0211 <span style="font-weight:bold;">strings</span>: 0212 <span style="color:#27aeae;">$a</span> = <span style="color:#f44f4f;">"dummy1"</span> 0213 <span style="color:#27aeae;">$b</span> = <span style="color:#f44f4f;">"dummy2"</span> 0214 0215 <span style="font-weight:bold;">condition</span>: 0216 <span style="color:#27aeae;">$a</span> <span style="font-weight:bold;">in</span> (<span style="color:#f67400;">0..100</span>) <span style="font-weight:bold;">and</span> <span style="color:#27aeae;">$b</span> <span style="font-weight:bold;">in</span> (<span style="color:#f67400;">100.</span>.<span style="font-weight:bold;">filesize</span>) 0217 } 0218 0219 <span style="color:#7a7c7d;">// File size</span> 0220 0221 <span style="font-weight:bold;">rule</span> <span style="color:#8e44ad;">FileSizeExample</span> 0222 { 0223 <span style="font-weight:bold;">condition</span>: 0224 <span style="font-weight:bold;">filesize</span> > <span style="color:#f67400;">200</span>KB 0225 } 0226 0227 <span style="color:#7a7c7d;">// Executable entry point</span> 0228 0229 <span style="font-weight:bold;">rule</span> <span style="color:#8e44ad;">EntryPointExample</span> 0230 { 0231 <span style="font-weight:bold;">strings</span>: 0232 <span style="color:#27aeae;">$a</span> = {<span style="color:#da4453;"> 9C 50 66 A1 ?? ?? ?? 00 66 A9 ?? ?? 58 0F 85 </span>} 0233 0234 <span style="font-weight:bold;">condition</span>: 0235 <span style="color:#27aeae;">$a</span> <span style="font-weight:bold;">in</span> (<span style="font-weight:bold;">entrypoint</span>..<span style="font-weight:bold;">entrypoint</span> + <span style="color:#f67400;">10</span>) 0236 } 0237 0238 0239 <span style="color:#7a7c7d;">// Accessing data at a given position</span> 0240 0241 <span style="font-weight:bold;">rule</span> <span style="color:#8e44ad;">IsPE</span> 0242 { 0243 <span style="font-weight:bold;">condition</span>: 0244 <span style="color:#7a7c7d;">// MZ signature at offset 0 and ...</span> 0245 <span style="font-weight:bold;">uint16</span>(<span style="color:#f67400;">0</span>) == <span style="color:#f67400;">0x5A4D</span> <span style="font-weight:bold;">and</span> 0246 <span style="color:#7a7c7d;">// ... PE signature at offset stored in MZ header at 0x3C</span> 0247 <span style="font-weight:bold;">uint32</span>(<span style="font-weight:bold;">uint32</span>(<span style="color:#f67400;">0x3C</span>)) == <span style="color:#f67400;">0x00004550</span> 0248 } 0249 0250 <span style="color:#7a7c7d;">// Sets of strings</span> 0251 0252 <span style="font-weight:bold;">rule</span> <span style="color:#8e44ad;">OfExample1</span> 0253 { 0254 <span style="font-weight:bold;">strings</span>: 0255 <span style="color:#27aeae;">$a</span> = <span style="color:#f44f4f;">"dummy1"</span> 0256 <span style="color:#27aeae;">$b</span> = <span style="color:#f44f4f;">"dummy2"</span> 0257 <span style="color:#27aeae;">$c</span> = <span style="color:#f44f4f;">"dummy3"</span> 0258 0259 <span style="font-weight:bold;">condition</span>: 0260 <span style="color:#f67400;">2</span> <span style="font-weight:bold;">of</span> (<span style="color:#27aeae;">$a</span>,<span style="color:#27aeae;">$b</span>,<span style="color:#27aeae;">$c</span>) 0261 } 0262 0263 <span style="font-weight:bold;">rule</span> <span style="color:#8e44ad;">OfExample2</span> 0264 { 0265 <span style="font-weight:bold;">strings</span>: 0266 <span style="color:#27aeae;">$foo1</span> = <span style="color:#f44f4f;">"foo1"</span> 0267 <span style="color:#27aeae;">$foo2</span> = <span style="color:#f44f4f;">"foo2"</span> 0268 <span style="color:#27aeae;">$foo3</span> = <span style="color:#f44f4f;">"foo3"</span> 0269 0270 <span style="font-weight:bold;">condition</span>: 0271 <span style="color:#f67400;">2</span> <span style="font-weight:bold;">of</span> (<span style="color:#27aeae;">$foo</span>*) <span style="color:#7a7c7d;">// equivalent to 2 of ($foo1,$foo2,$foo3)</span> 0272 } 0273 0274 <span style="font-weight:bold;">rule</span> <span style="color:#8e44ad;">OfExample3</span> 0275 { 0276 <span style="font-weight:bold;">strings</span>: 0277 <span style="color:#27aeae;">$a</span> = <span style="color:#f44f4f;">"dummy1"</span> 0278 <span style="color:#27aeae;">$b</span> = <span style="color:#f44f4f;">"dummy2"</span> 0279 <span style="color:#27aeae;">$c</span> = <span style="color:#f44f4f;">"dummy3"</span> 0280 0281 <span style="font-weight:bold;">condition</span>: 0282 <span style="color:#f67400;">1</span> <span style="font-weight:bold;">of</span> <span style="font-weight:bold;">them</span> <span style="color:#7a7c7d;">// equivalent to 1 of ($*)</span> 0283 } 0284 0285 <span style="color:#7a7c7d;">// Iterating over string occurrences</span> 0286 0287 <span style="font-weight:bold;">rule</span> <span style="color:#8e44ad;">Occurrences</span> 0288 { 0289 <span style="font-weight:bold;">strings</span>: 0290 <span style="color:#27aeae;">$a</span> = <span style="color:#f44f4f;">"dummy1"</span> 0291 <span style="color:#27aeae;">$b</span> = <span style="color:#f44f4f;">"dummy2"</span> 0292 0293 <span style="font-weight:bold;">condition</span>: 0294 <span style="font-weight:bold;">for</span> <span style="font-weight:bold;">all</span> i <span style="font-weight:bold;">in</span> (<span style="color:#f67400;">1</span>,<span style="color:#f67400;">2</span>,<span style="color:#f67400;">3</span>) : ( @a[i] + <span style="color:#f67400;">10</span> == @b[i] ) 0295 } 0296 0297 <span style="color:#7a7c7d;">// Referencing other rules</span> 0298 0299 <span style="font-weight:bold;">rule</span> <span style="color:#8e44ad;">Rule1</span> 0300 { 0301 <span style="font-weight:bold;">strings</span>: 0302 <span style="color:#27aeae;">$a</span> = <span style="color:#f44f4f;">"dummy1"</span> 0303 0304 <span style="font-weight:bold;">condition</span>: 0305 <span style="color:#27aeae;">$a</span> 0306 } 0307 0308 <span style="font-weight:bold;">rule</span> <span style="color:#8e44ad;">Rule2</span> 0309 { 0310 <span style="font-weight:bold;">strings</span>: 0311 <span style="color:#27aeae;">$a</span> = <span style="color:#f44f4f;">"dummy2"</span> 0312 0313 <span style="font-weight:bold;">condition</span>: 0314 <span style="color:#27aeae;">$a</span> <span style="font-weight:bold;">and</span> Rule1 0315 } 0316 0317 <span style="color:#7a7c7d;">// Metadata</span> 0318 0319 <span style="font-weight:bold;">rule</span> <span style="color:#8e44ad;">MetadataExample</span> 0320 { 0321 <span style="font-weight:bold;">meta</span>: 0322 my_identifier_1 = <span style="color:#f44f4f;">"Some string data"</span> 0323 my_identifier_2 = <span style="color:#f67400;">24</span> 0324 my_identifier_3 = <span style="color:#27aeae;font-weight:bold;">true</span> 0325 0326 <span style="font-weight:bold;">strings</span>: 0327 <span style="color:#27aeae;">$my_text_string</span> = <span style="color:#f44f4f;">"text here"</span> 0328 <span style="color:#27aeae;">$my_hex_string</span> = {<span style="color:#da4453;"> E2 34 A1 C8 23 FB </span>} 0329 0330 <span style="font-weight:bold;">condition</span>: 0331 <span style="color:#27aeae;">$my_text_string</span> <span style="font-weight:bold;">or</span> <span style="color:#27aeae;">$my_hex_string</span> 0332 } 0333 0334 <span style="color:#7a7c7d;">// External variables</span> 0335 0336 <span style="font-weight:bold;">rule</span> <span style="color:#8e44ad;">ExternalVariableExample1</span> 0337 { 0338 <span style="font-weight:bold;">condition</span>: 0339 ext_var == <span style="color:#f67400;">10</span> 0340 } 0341 0342 <span style="font-weight:bold;">rule</span> <span style="color:#8e44ad;">ExternalVariableExample2</span> 0343 { 0344 <span style="font-weight:bold;">condition</span>: 0345 bool_ext_var <span style="font-weight:bold;">or</span> <span style="font-weight:bold;">filesize</span> < int_ext_var 0346 } 0347 0348 <span style="font-weight:bold;">rule</span> <span style="color:#8e44ad;">ExternalVariableExample3</span> 0349 { 0350 <span style="font-weight:bold;">condition</span>: 0351 string_ext_var <span style="font-weight:bold;">contains</span> <span style="color:#f44f4f;">"text"</span> 0352 } 0353 0354 <span style="font-weight:bold;">rule</span> <span style="color:#8e44ad;">ExternalVariableExample4</span> 0355 { 0356 <span style="font-weight:bold;">condition</span>: 0357 string_ext_var <span style="font-weight:bold;">matches</span> <span style="color:#da4453;">/</span><span style="color:#3daee9;">[a-z]</span><span style="color:#3daee9;">+</span><span style="color:#da4453;">/</span> 0358 } 0359 0360 <span style="font-weight:bold;">rule</span> <span style="color:#8e44ad;">ExternalVariableExample5</span> 0361 { 0362 <span style="font-weight:bold;">condition</span>: 0363 <span style="color:#7a7c7d;">/* case insensitive single-line mode */</span> 0364 string_ext_var <span style="font-weight:bold;">matches</span> <span style="color:#da4453;">/</span><span style="color:#3daee9;">[a-z]</span><span style="color:#3daee9;">+</span><span style="color:#da4453;">/is</span> 0365 } 0366 0367 <span style="color:#7a7c7d;">// Including files</span> 0368 0369 <span style="font-weight:bold;">include</span> <span style="color:#f44f4f;">"other.yar"</span> 0370 <span style="font-weight:bold;">include</span> <span style="color:#f44f4f;">"./includes/other.yar"</span> 0371 <span style="font-weight:bold;">include</span> <span style="color:#f44f4f;">"../includes/other.yar"</span> 0372 </pre></body></html>