File indexing completed on 2024-05-12 04:02:10
0001 <!DOCTYPE html> 0002 <html><head> 0003 <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/> 0004 <title>test.yara</title> 0005 <meta name="generator" content="KF5::SyntaxHighlighting - Definition (YARA) - Theme (Breeze Light)"/> 0006 </head><body style="background-color:#ffffff;color:#1f1c1b"><pre> 0007 <span style="color:#898887">// Sample YARA file for Syntax Highlighting</span> 0008 <span style="color:#898887">// Obtained from: https://yara.readthedocs.io/en/stable/writingrules.html</span> 0009 0010 <span style="color:#898887">/*</span> 0011 <span style="color:#898887"> This is a multi-line comment ...</span> 0012 <span style="color:#898887">*/</span> 0013 0014 <span style="font-weight:bold">rule</span> <span style="color:#644a9b">silent_banker</span> : banker 0015 { 0016 <span style="font-weight:bold">meta</span>: 0017 description = <span style="color:#bf0303">"This is just an example"</span> 0018 threat_level = <span style="color:#b08000">3</span> 0019 in_the_wild = <span style="color:#aa5500">true</span> 0020 <span style="font-weight:bold">strings</span>: 0021 <span style="color:#0057ae">$a</span> = {<span style="color:#ff5500">6A 40 68 00 30 00 00 6A 14 8D 91</span>} 0022 <span style="color:#0057ae">$b</span> = {<span style="color:#ff5500">8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9</span>} 0023 <span style="color:#0057ae">$c</span> = <span style="color:#bf0303">"UVODFRYSIHLNWPEJXQZAKCBGMT"</span> 0024 <span style="font-weight:bold">condition</span>: 0025 <span style="color:#0057ae">$a</span> <span style="font-weight:bold">or</span> <span style="color:#0057ae">$b</span> <span style="font-weight:bold">or</span> <span style="color:#0057ae">$c</span> 0026 } 0027 0028 <span style="font-weight:bold">rule</span> <span style="color:#644a9b">dummy</span> 0029 { 0030 <span style="font-weight:bold">condition</span>: 0031 <span style="color:#aa5500">false</span> 0032 } 0033 0034 <span style="font-weight:bold">rule</span> <span style="color:#644a9b">ExampleRule</span> 0035 { 0036 <span style="font-weight:bold">strings</span>: 0037 <span style="color:#0057ae">$my_text_string</span> = <span style="color:#bf0303">"text here"</span> 0038 <span style="color:#0057ae">$my_hex_string</span> = {<span style="color:#ff5500"> E2 34 A1 C8 23 FB </span>} 0039 0040 <span style="font-weight:bold">condition</span>: 0041 <span style="color:#0057ae">$my_text_string</span> <span style="font-weight:bold">or</span> <span style="color:#0057ae">$my_hex_string</span> 0042 } 0043 0044 <span style="color:#898887">// Hexadecimal strings</span> 0045 0046 <span style="font-weight:bold">rule</span> <span style="color:#644a9b">WildcardExample</span> 0047 { 0048 <span style="font-weight:bold">strings</span>: 0049 <span style="color:#0057ae">$hex_string</span> = {<span style="color:#ff5500"> E2 34 ?? C8 A? FB </span>} 0050 0051 <span style="font-weight:bold">condition</span>: 0052 <span style="color:#0057ae">$hex_string</span> 0053 } 0054 0055 <span style="font-weight:bold">rule</span> <span style="color:#644a9b">JumpExample</span> 0056 { 0057 <span style="font-weight:bold">strings</span>: 0058 <span style="color:#0057ae">$hex_string</span> = {<span style="color:#ff5500"> F4 23 </span>[<span style="color:#b08000">4</span>-<span style="color:#b08000">6</span>]<span style="color:#ff5500"> 62 B4 </span>} 0059 0060 <span style="font-weight:bold">condition</span>: 0061 <span style="color:#0057ae">$hex_string</span> 0062 } 0063 0064 <span style="font-weight:bold">rule</span> <span style="color:#644a9b">AlternativesExample</span> 0065 { 0066 <span style="font-weight:bold">strings</span>: 0067 <span style="color:#0057ae">$hex_string</span> = {<span style="color:#ff5500"> F4 23 </span>(<span style="color:#ff5500"> 62 B4 </span>|<span style="color:#ff5500"> 56 </span>|<span style="color:#ff5500"> 45 ?? 67 </span>)<span style="color:#ff5500"> 45 </span>} 0068 0069 <span style="font-weight:bold">condition</span>: 0070 <span style="color:#0057ae">$hex_string</span> 0071 } 0072 0073 <span style="color:#898887">// Text strings</span> 0074 0075 <span style="font-weight:bold">rule</span> <span style="color:#644a9b">CaseInsensitiveTextExample</span> 0076 { 0077 <span style="font-weight:bold">strings</span>: 0078 <span style="color:#0057ae">$text_string</span> = <span style="color:#bf0303">"foobar"</span> <span style="font-weight:bold">nocase</span> 0079 0080 <span style="font-weight:bold">condition</span>: 0081 <span style="color:#0057ae">$text_string</span> 0082 } 0083 0084 <span style="font-weight:bold">rule</span> <span style="color:#644a9b">WideCharTextExample</span> 0085 { 0086 <span style="font-weight:bold">strings</span>: 0087 <span style="color:#0057ae">$wide_and_ascii_string</span> = <span style="color:#bf0303">"Borland"</span> <span style="font-weight:bold">wide</span> <span style="font-weight:bold">ascii</span> 0088 0089 <span style="font-weight:bold">condition</span>: 0090 <span style="color:#0057ae">$wide_and_ascii_string</span> 0091 } 0092 0093 <span style="color:#898887">// XOR strings</span> 0094 0095 <span style="font-weight:bold">rule</span> <span style="color:#644a9b">XorExample1</span> 0096 { 0097 <span style="font-weight:bold">strings</span>: 0098 <span style="color:#0057ae">$xor_string</span> = <span style="color:#bf0303">"This program cannot"</span> <span style="font-weight:bold">xor</span> 0099 0100 <span style="font-weight:bold">condition</span>: 0101 <span style="color:#0057ae">$xor_string</span> 0102 } 0103 0104 <span style="font-weight:bold">rule</span> <span style="color:#644a9b">XorExample2</span> 0105 { 0106 <span style="font-weight:bold">strings</span>: 0107 <span style="color:#0057ae">$xor_string_00</span> = <span style="color:#bf0303">"This program cannot"</span> 0108 <span style="color:#0057ae">$xor_string_01</span> = <span style="color:#bf0303">"Uihr!qsnfs`l!b`oonu"</span> 0109 <span style="color:#0057ae">$xor_string_02</span> = <span style="color:#bf0303">"Vjkq</span><span style="color:#3daee9">\"</span><span style="color:#bf0303">rpmepco</span><span style="color:#3daee9">\"</span><span style="color:#bf0303">acllmv"</span> 0110 <span style="color:#898887">// Repeat for every single byte XOR</span> 0111 <span style="font-weight:bold">condition</span>: 0112 <span style="font-weight:bold">any</span> <span style="font-weight:bold">of</span> <span style="font-weight:bold">them</span> 0113 } 0114 0115 <span style="font-weight:bold">rule</span> <span style="color:#644a9b">XorExample3</span> 0116 { 0117 <span style="font-weight:bold">strings</span>: 0118 <span style="color:#0057ae">$xor_string</span> = <span style="color:#bf0303">"This program cannot"</span> <span style="font-weight:bold">xor</span> <span style="font-weight:bold">wide</span> <span style="font-weight:bold">ascii</span> 0119 <span style="font-weight:bold">condition</span>: 0120 <span style="color:#0057ae">$xor_string</span> 0121 } 0122 0123 <span style="font-weight:bold">rule</span> <span style="color:#644a9b">XorExample4</span> 0124 { 0125 <span style="font-weight:bold">strings</span>: 0126 <span style="color:#0057ae">$xor_string_00</span> = <span style="color:#bf0303">"T</span><span style="color:#3daee9">\x00</span><span style="color:#bf0303">h</span><span style="color:#3daee9">\x00</span><span style="color:#bf0303">i</span><span style="color:#3daee9">\x00</span><span style="color:#bf0303">s</span><span style="color:#3daee9">\x00</span><span style="color:#bf0303"> </span><span style="color:#3daee9">\x00</span><span style="color:#bf0303">p</span><span style="color:#3daee9">\x00</span><span style="color:#bf0303">r</span><span style="color:#3daee9">\x00</span><span style="color:#bf0303">o</span><span style="color:#3daee9">\x00</span><span style="color:#bf0303">g</span><span style="color:#3daee9">\x00</span><span style="color:#bf0303">r</span><span style="color:#3daee9">\x00</span><span style="color:#bf0303">a</span><span style="color:#3daee9">\x00</span><span style="color:#bf0303">m</span><span style="color:#3daee9">\x00</span><span style="color:#bf0303"> </span><span style="color:#3daee9">\x00</span><span style="color:#bf0303">c</span><span style="color:#3daee9">\x00</span><span style="color:#bf0303">a</span><span style="color:#3daee9">\x00</span><span style="color:#bf0303">n</span><span style="color:#3daee9">\x00</span><span style="color:#bf0303">n</span><span style="color:#3daee9">\x00</span><span style="color:#bf0303">o</span><span style="color:#3daee9">\x00</span><span style="color:#bf0303">t</span><span style="color:#3daee9">\x00</span><span style="color:#bf0303">"</span> 0127 <span style="color:#0057ae">$xor_string_01</span> = <span style="color:#bf0303">"U</span><span style="color:#3daee9">\x01</span><span style="color:#bf0303">i</span><span style="color:#3daee9">\x01</span><span style="color:#bf0303">h</span><span style="color:#3daee9">\x01</span><span style="color:#bf0303">r</span><span style="color:#3daee9">\x01</span><span style="color:#bf0303">!</span><span style="color:#3daee9">\x01</span><span style="color:#bf0303">q</span><span style="color:#3daee9">\x01</span><span style="color:#bf0303">s</span><span style="color:#3daee9">\x01</span><span style="color:#bf0303">n</span><span style="color:#3daee9">\x01</span><span style="color:#bf0303">f</span><span style="color:#3daee9">\x01</span><span style="color:#bf0303">s</span><span style="color:#3daee9">\x01</span><span style="color:#bf0303">`</span><span style="color:#3daee9">\x01</span><span style="color:#bf0303">l</span><span style="color:#3daee9">\x01</span><span style="color:#bf0303">!</span><span style="color:#3daee9">\x01</span><span style="color:#bf0303">b</span><span style="color:#3daee9">\x01</span><span style="color:#bf0303">`</span><span style="color:#3daee9">\x01</span><span style="color:#bf0303">o</span><span style="color:#3daee9">\x01</span><span style="color:#bf0303">o</span><span style="color:#3daee9">\x01</span><span style="color:#bf0303">n</span><span style="color:#3daee9">\x01</span><span style="color:#bf0303">u</span><span style="color:#3daee9">\x01</span><span style="color:#bf0303">"</span> 0128 <span style="color:#0057ae">$xor_string_02</span> = <span style="color:#bf0303">"V</span><span style="color:#3daee9">\x02</span><span style="color:#bf0303">j</span><span style="color:#3daee9">\x02</span><span style="color:#bf0303">k</span><span style="color:#3daee9">\x02</span><span style="color:#bf0303">q</span><span style="color:#3daee9">\x02\"\x02</span><span style="color:#bf0303">r</span><span style="color:#3daee9">\x02</span><span style="color:#bf0303">p</span><span style="color:#3daee9">\x02</span><span style="color:#bf0303">m</span><span style="color:#3daee9">\x02</span><span style="color:#bf0303">e</span><span style="color:#3daee9">\x02</span><span style="color:#bf0303">p</span><span style="color:#3daee9">\x02</span><span style="color:#bf0303">c</span><span style="color:#3daee9">\x02</span><span style="color:#bf0303">o</span><span style="color:#3daee9">\x02\"\x02</span><span style="color:#bf0303">a</span><span style="color:#3daee9">\x02</span><span style="color:#bf0303">c</span><span style="color:#3daee9">\x02</span><span style="color:#bf0303">l</span><span style="color:#3daee9">\x02</span><span style="color:#bf0303">l</span><span style="color:#3daee9">\x02</span><span style="color:#bf0303">m</span><span style="color:#3daee9">\x02</span><span style="color:#bf0303">v</span><span style="color:#3daee9">\x02</span><span style="color:#bf0303">"</span> 0129 <span style="color:#898887">// Repeat for every single byte XOR operation.</span> 0130 <span style="font-weight:bold">condition</span>: 0131 <span style="font-weight:bold">any</span> <span style="font-weight:bold">of</span> <span style="font-weight:bold">them</span> 0132 } 0133 0134 <span style="font-weight:bold">rule</span> <span style="color:#644a9b">XorExample5</span> 0135 { 0136 <span style="font-weight:bold">strings</span>: 0137 <span style="color:#0057ae">$xor_string</span> = <span style="color:#bf0303">"This program cannot"</span> <span style="font-weight:bold">xor</span>(<span style="color:#b08000">0x01</span>-<span style="color:#b08000">0xff</span>) 0138 <span style="font-weight:bold">condition</span>: 0139 <span style="color:#0057ae">$xor_string</span> 0140 } 0141 0142 <span style="color:#898887">// Base64 strings</span> 0143 0144 <span style="font-weight:bold">rule</span> <span style="color:#644a9b">Base64Example1</span> 0145 { 0146 <span style="font-weight:bold">strings</span>: 0147 <span style="color:#0057ae">$a</span> = <span style="color:#bf0303">"This program cannot"</span> <span style="font-weight:bold">base64</span> 0148 0149 <span style="font-weight:bold">condition</span>: 0150 <span style="color:#0057ae">$a</span> 0151 } 0152 0153 <span style="font-weight:bold">rule</span> <span style="color:#644a9b">Base64Example2</span> 0154 { 0155 <span style="font-weight:bold">strings</span>: 0156 <span style="color:#0057ae">$a</span> = <span style="color:#bf0303">"This program cannot"</span> <span style="font-weight:bold">base64</span>(<span style="color:#bf0303">"!@#$%^&*(){}[].,|ABCDEFGHIJ</span><span style="color:#3daee9">\x09</span><span style="color:#bf0303">LMNOPQRSTUVWXYZabcdefghijklmnopqrstu"</span>) 0157 0158 <span style="font-weight:bold">condition</span>: 0159 <span style="color:#0057ae">$a</span> 0160 } 0161 0162 <span style="color:#898887">// Regular expressions</span> 0163 0164 <span style="font-weight:bold">rule</span> <span style="color:#644a9b">RegExpExample1</span> 0165 { 0166 <span style="font-weight:bold">strings</span>: 0167 <span style="color:#0057ae">$re1</span> = <span style="color:#ff5500">/</span><span style="color:#ff5500">md5: </span><span style="color:#3daee9">[0-9a-fA-F]</span><span style="color:#3daee9">{32}</span><span style="color:#ff5500">/</span> 0168 <span style="color:#0057ae">$re2</span> = <span style="color:#ff5500">/</span><span style="color:#ff5500">state: </span><span style="color:#3daee9">(</span><span style="color:#ff5500">on</span><span style="color:#3daee9">|</span><span style="color:#ff5500">off</span><span style="color:#3daee9">)</span><span style="color:#ff5500">/</span> 0169 0170 <span style="font-weight:bold">condition</span>: 0171 <span style="color:#0057ae">$re1</span> <span style="font-weight:bold">and</span> <span style="color:#0057ae">$re2</span> 0172 } 0173 0174 <span style="color:#898887">// Conditions</span> 0175 0176 <span style="font-weight:bold">rule</span> <span style="color:#644a9b">Example</span> 0177 { 0178 <span style="font-weight:bold">strings</span>: 0179 <span style="color:#0057ae">$a</span> = <span style="color:#bf0303">"text1"</span> 0180 <span style="color:#0057ae">$b</span> = <span style="color:#bf0303">"text2"</span> 0181 <span style="color:#0057ae">$c</span> = <span style="color:#bf0303">"text3"</span> 0182 <span style="color:#0057ae">$d</span> = <span style="color:#bf0303">"text4"</span> 0183 0184 <span style="font-weight:bold">condition</span>: 0185 (<span style="color:#0057ae">$a</span> <span style="font-weight:bold">or</span> <span style="color:#0057ae">$b</span>) <span style="font-weight:bold">and</span> (<span style="color:#0057ae">$c</span> <span style="font-weight:bold">or</span> <span style="color:#0057ae">$d</span>) 0186 } 0187 0188 <span style="font-weight:bold">rule</span> <span style="color:#644a9b">CountExample</span> 0189 { 0190 <span style="font-weight:bold">strings</span>: 0191 <span style="color:#0057ae">$a</span> = <span style="color:#bf0303">"dummy1"</span> 0192 <span style="color:#0057ae">$b</span> = <span style="color:#bf0303">"dummy2"</span> 0193 0194 <span style="font-weight:bold">condition</span>: 0195 #a == <span style="color:#b08000">6</span> <span style="font-weight:bold">and</span> #b > <span style="color:#b08000">10</span> 0196 } 0197 0198 0199 <span style="font-weight:bold">rule</span> <span style="color:#644a9b">AtExample</span> 0200 { 0201 <span style="font-weight:bold">strings</span>: 0202 <span style="color:#0057ae">$a</span> = <span style="color:#bf0303">"dummy1"</span> 0203 <span style="color:#0057ae">$b</span> = <span style="color:#bf0303">"dummy2"</span> 0204 0205 <span style="font-weight:bold">condition</span>: 0206 <span style="color:#0057ae">$a</span> <span style="font-weight:bold">at</span> <span style="color:#b08000">100</span> <span style="font-weight:bold">and</span> <span style="color:#0057ae">$b</span> <span style="font-weight:bold">at</span> <span style="color:#b08000">200</span> 0207 } 0208 0209 <span style="font-weight:bold">rule</span> <span style="color:#644a9b">InExample</span> 0210 { 0211 <span style="font-weight:bold">strings</span>: 0212 <span style="color:#0057ae">$a</span> = <span style="color:#bf0303">"dummy1"</span> 0213 <span style="color:#0057ae">$b</span> = <span style="color:#bf0303">"dummy2"</span> 0214 0215 <span style="font-weight:bold">condition</span>: 0216 <span style="color:#0057ae">$a</span> <span style="font-weight:bold">in</span> (<span style="color:#b08000">0..100</span>) <span style="font-weight:bold">and</span> <span style="color:#0057ae">$b</span> <span style="font-weight:bold">in</span> (<span style="color:#b08000">100.</span>.<span style="font-weight:bold">filesize</span>) 0217 } 0218 0219 <span style="color:#898887">// File size</span> 0220 0221 <span style="font-weight:bold">rule</span> <span style="color:#644a9b">FileSizeExample</span> 0222 { 0223 <span style="font-weight:bold">condition</span>: 0224 <span style="font-weight:bold">filesize</span> > <span style="color:#b08000">200</span>KB 0225 } 0226 0227 <span style="color:#898887">// Executable entry point</span> 0228 0229 <span style="font-weight:bold">rule</span> <span style="color:#644a9b">EntryPointExample</span> 0230 { 0231 <span style="font-weight:bold">strings</span>: 0232 <span style="color:#0057ae">$a</span> = {<span style="color:#ff5500"> 9C 50 66 A1 ?? ?? ?? 00 66 A9 ?? ?? 58 0F 85 </span>} 0233 0234 <span style="font-weight:bold">condition</span>: 0235 <span style="color:#0057ae">$a</span> <span style="font-weight:bold">in</span> (<span style="font-weight:bold">entrypoint</span>..<span style="font-weight:bold">entrypoint</span> + <span style="color:#b08000">10</span>) 0236 } 0237 0238 0239 <span style="color:#898887">// Accessing data at a given position</span> 0240 0241 <span style="font-weight:bold">rule</span> <span style="color:#644a9b">IsPE</span> 0242 { 0243 <span style="font-weight:bold">condition</span>: 0244 <span style="color:#898887">// MZ signature at offset 0 and ...</span> 0245 <span style="font-weight:bold">uint16</span>(<span style="color:#b08000">0</span>) == <span style="color:#b08000">0x5A4D</span> <span style="font-weight:bold">and</span> 0246 <span style="color:#898887">// ... PE signature at offset stored in MZ header at 0x3C</span> 0247 <span style="font-weight:bold">uint32</span>(<span style="font-weight:bold">uint32</span>(<span style="color:#b08000">0x3C</span>)) == <span style="color:#b08000">0x00004550</span> 0248 } 0249 0250 <span style="color:#898887">// Sets of strings</span> 0251 0252 <span style="font-weight:bold">rule</span> <span style="color:#644a9b">OfExample1</span> 0253 { 0254 <span style="font-weight:bold">strings</span>: 0255 <span style="color:#0057ae">$a</span> = <span style="color:#bf0303">"dummy1"</span> 0256 <span style="color:#0057ae">$b</span> = <span style="color:#bf0303">"dummy2"</span> 0257 <span style="color:#0057ae">$c</span> = <span style="color:#bf0303">"dummy3"</span> 0258 0259 <span style="font-weight:bold">condition</span>: 0260 <span style="color:#b08000">2</span> <span style="font-weight:bold">of</span> (<span style="color:#0057ae">$a</span>,<span style="color:#0057ae">$b</span>,<span style="color:#0057ae">$c</span>) 0261 } 0262 0263 <span style="font-weight:bold">rule</span> <span style="color:#644a9b">OfExample2</span> 0264 { 0265 <span style="font-weight:bold">strings</span>: 0266 <span style="color:#0057ae">$foo1</span> = <span style="color:#bf0303">"foo1"</span> 0267 <span style="color:#0057ae">$foo2</span> = <span style="color:#bf0303">"foo2"</span> 0268 <span style="color:#0057ae">$foo3</span> = <span style="color:#bf0303">"foo3"</span> 0269 0270 <span style="font-weight:bold">condition</span>: 0271 <span style="color:#b08000">2</span> <span style="font-weight:bold">of</span> (<span style="color:#0057ae">$foo</span>*) <span style="color:#898887">// equivalent to 2 of ($foo1,$foo2,$foo3)</span> 0272 } 0273 0274 <span style="font-weight:bold">rule</span> <span style="color:#644a9b">OfExample3</span> 0275 { 0276 <span style="font-weight:bold">strings</span>: 0277 <span style="color:#0057ae">$a</span> = <span style="color:#bf0303">"dummy1"</span> 0278 <span style="color:#0057ae">$b</span> = <span style="color:#bf0303">"dummy2"</span> 0279 <span style="color:#0057ae">$c</span> = <span style="color:#bf0303">"dummy3"</span> 0280 0281 <span style="font-weight:bold">condition</span>: 0282 <span style="color:#b08000">1</span> <span style="font-weight:bold">of</span> <span style="font-weight:bold">them</span> <span style="color:#898887">// equivalent to 1 of ($*)</span> 0283 } 0284 0285 <span style="color:#898887">// Iterating over string occurrences</span> 0286 0287 <span style="font-weight:bold">rule</span> <span style="color:#644a9b">Occurrences</span> 0288 { 0289 <span style="font-weight:bold">strings</span>: 0290 <span style="color:#0057ae">$a</span> = <span style="color:#bf0303">"dummy1"</span> 0291 <span style="color:#0057ae">$b</span> = <span style="color:#bf0303">"dummy2"</span> 0292 0293 <span style="font-weight:bold">condition</span>: 0294 <span style="font-weight:bold">for</span> <span style="font-weight:bold">all</span> i <span style="font-weight:bold">in</span> (<span style="color:#b08000">1</span>,<span style="color:#b08000">2</span>,<span style="color:#b08000">3</span>) : ( @a[i] + <span style="color:#b08000">10</span> == @b[i] ) 0295 } 0296 0297 <span style="color:#898887">// Referencing other rules</span> 0298 0299 <span style="font-weight:bold">rule</span> <span style="color:#644a9b">Rule1</span> 0300 { 0301 <span style="font-weight:bold">strings</span>: 0302 <span style="color:#0057ae">$a</span> = <span style="color:#bf0303">"dummy1"</span> 0303 0304 <span style="font-weight:bold">condition</span>: 0305 <span style="color:#0057ae">$a</span> 0306 } 0307 0308 <span style="font-weight:bold">rule</span> <span style="color:#644a9b">Rule2</span> 0309 { 0310 <span style="font-weight:bold">strings</span>: 0311 <span style="color:#0057ae">$a</span> = <span style="color:#bf0303">"dummy2"</span> 0312 0313 <span style="font-weight:bold">condition</span>: 0314 <span style="color:#0057ae">$a</span> <span style="font-weight:bold">and</span> Rule1 0315 } 0316 0317 <span style="color:#898887">// Metadata</span> 0318 0319 <span style="font-weight:bold">rule</span> <span style="color:#644a9b">MetadataExample</span> 0320 { 0321 <span style="font-weight:bold">meta</span>: 0322 my_identifier_1 = <span style="color:#bf0303">"Some string data"</span> 0323 my_identifier_2 = <span style="color:#b08000">24</span> 0324 my_identifier_3 = <span style="color:#aa5500">true</span> 0325 0326 <span style="font-weight:bold">strings</span>: 0327 <span style="color:#0057ae">$my_text_string</span> = <span style="color:#bf0303">"text here"</span> 0328 <span style="color:#0057ae">$my_hex_string</span> = {<span style="color:#ff5500"> E2 34 A1 C8 23 FB </span>} 0329 0330 <span style="font-weight:bold">condition</span>: 0331 <span style="color:#0057ae">$my_text_string</span> <span style="font-weight:bold">or</span> <span style="color:#0057ae">$my_hex_string</span> 0332 } 0333 0334 <span style="color:#898887">// External variables</span> 0335 0336 <span style="font-weight:bold">rule</span> <span style="color:#644a9b">ExternalVariableExample1</span> 0337 { 0338 <span style="font-weight:bold">condition</span>: 0339 ext_var == <span style="color:#b08000">10</span> 0340 } 0341 0342 <span style="font-weight:bold">rule</span> <span style="color:#644a9b">ExternalVariableExample2</span> 0343 { 0344 <span style="font-weight:bold">condition</span>: 0345 bool_ext_var <span style="font-weight:bold">or</span> <span style="font-weight:bold">filesize</span> < int_ext_var 0346 } 0347 0348 <span style="font-weight:bold">rule</span> <span style="color:#644a9b">ExternalVariableExample3</span> 0349 { 0350 <span style="font-weight:bold">condition</span>: 0351 string_ext_var <span style="font-weight:bold">contains</span> <span style="color:#bf0303">"text"</span> 0352 } 0353 0354 <span style="font-weight:bold">rule</span> <span style="color:#644a9b">ExternalVariableExample4</span> 0355 { 0356 <span style="font-weight:bold">condition</span>: 0357 string_ext_var <span style="font-weight:bold">matches</span> <span style="color:#ff5500">/</span><span style="color:#3daee9">[a-z]</span><span style="color:#3daee9">+</span><span style="color:#ff5500">/</span> 0358 } 0359 0360 <span style="font-weight:bold">rule</span> <span style="color:#644a9b">ExternalVariableExample5</span> 0361 { 0362 <span style="font-weight:bold">condition</span>: 0363 <span style="color:#898887">/* case insensitive single-line mode */</span> 0364 string_ext_var <span style="font-weight:bold">matches</span> <span style="color:#ff5500">/</span><span style="color:#3daee9">[a-z]</span><span style="color:#3daee9">+</span><span style="color:#ff5500">/is</span> 0365 } 0366 0367 <span style="color:#898887">// Including files</span> 0368 0369 <span style="font-weight:bold">include</span> <span style="color:#bf0303">"other.yar"</span> 0370 <span style="font-weight:bold">include</span> <span style="color:#bf0303">"./includes/other.yar"</span> 0371 <span style="font-weight:bold">include</span> <span style="color:#bf0303">"../includes/other.yar"</span> 0372 </pre></body></html>