File indexing completed on 2024-05-19 15:23:17
0001 <!DOCTYPE html> 0002 <html><head> 0003 <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/> 0004 <title>test.yara</title> 0005 <meta name="generator" content="KF5::SyntaxHighlighting - Definition (YARA) - Theme (Breeze Light)"/> 0006 </head><body style="background-color:#ffffff;color:#1f1c1b"><pre> 0007 <span style="color:#898887;">// Sample YARA file for Syntax Highlighting</span> 0008 <span style="color:#898887;">// Obtained from: https://yara.readthedocs.io/en/stable/writingrules.html</span> 0009 0010 <span style="color:#898887;">/*</span> 0011 <span style="color:#898887;"> This is a multi-line comment ...</span> 0012 <span style="color:#898887;">*/</span> 0013 0014 <span style="font-weight:bold;">rule</span> <span style="color:#644a9b;">silent_banker</span> : banker 0015 { 0016 <span style="font-weight:bold;">meta</span>: 0017 description = <span style="color:#bf0303;">"This is just an example"</span> 0018 threat_level = <span style="color:#b08000;">3</span> 0019 in_the_wild = <span style="color:#aa5500;">true</span> 0020 <span style="font-weight:bold;">strings</span>: 0021 <span style="color:#0057ae;">$a</span> = {<span style="color:#ff5500;">6A 40 68 00 30 00 00 6A 14 8D 91</span>} 0022 <span style="color:#0057ae;">$b</span> = {<span style="color:#ff5500;">8D 4D B0 2B C1 83 C0 27 99 6A 4E 59 F7 F9</span>} 0023 <span style="color:#0057ae;">$c</span> = <span style="color:#bf0303;">"UVODFRYSIHLNWPEJXQZAKCBGMT"</span> 0024 <span style="font-weight:bold;">condition</span>: 0025 <span style="color:#0057ae;">$a</span> <span style="font-weight:bold;">or</span> <span style="color:#0057ae;">$b</span> <span style="font-weight:bold;">or</span> <span style="color:#0057ae;">$c</span> 0026 } 0027 0028 <span style="font-weight:bold;">rule</span> <span style="color:#644a9b;">dummy</span> 0029 { 0030 <span style="font-weight:bold;">condition</span>: 0031 <span style="color:#aa5500;">false</span> 0032 } 0033 0034 <span style="font-weight:bold;">rule</span> <span style="color:#644a9b;">ExampleRule</span> 0035 { 0036 <span style="font-weight:bold;">strings</span>: 0037 <span style="color:#0057ae;">$my_text_string</span> = <span style="color:#bf0303;">"text here"</span> 0038 <span style="color:#0057ae;">$my_hex_string</span> = {<span style="color:#ff5500;"> E2 34 A1 C8 23 FB </span>} 0039 0040 <span style="font-weight:bold;">condition</span>: 0041 <span style="color:#0057ae;">$my_text_string</span> <span style="font-weight:bold;">or</span> <span style="color:#0057ae;">$my_hex_string</span> 0042 } 0043 0044 <span style="color:#898887;">// Hexadecimal strings</span> 0045 0046 <span style="font-weight:bold;">rule</span> <span style="color:#644a9b;">WildcardExample</span> 0047 { 0048 <span style="font-weight:bold;">strings</span>: 0049 <span style="color:#0057ae;">$hex_string</span> = {<span style="color:#ff5500;"> E2 34 ?? C8 A? FB </span>} 0050 0051 <span style="font-weight:bold;">condition</span>: 0052 <span style="color:#0057ae;">$hex_string</span> 0053 } 0054 0055 <span style="font-weight:bold;">rule</span> <span style="color:#644a9b;">JumpExample</span> 0056 { 0057 <span style="font-weight:bold;">strings</span>: 0058 <span style="color:#0057ae;">$hex_string</span> = {<span style="color:#ff5500;"> F4 23 </span>[<span style="color:#b08000;">4</span>-<span style="color:#b08000;">6</span>]<span style="color:#ff5500;"> 62 B4 </span>} 0059 0060 <span style="font-weight:bold;">condition</span>: 0061 <span style="color:#0057ae;">$hex_string</span> 0062 } 0063 0064 <span style="font-weight:bold;">rule</span> <span style="color:#644a9b;">AlternativesExample</span> 0065 { 0066 <span style="font-weight:bold;">strings</span>: 0067 <span style="color:#0057ae;">$hex_string</span> = {<span style="color:#ff5500;"> F4 23 </span>(<span style="color:#ff5500;"> 62 B4 </span>|<span style="color:#ff5500;"> 56 </span>|<span style="color:#ff5500;"> 45 ?? 67 </span>)<span style="color:#ff5500;"> 45 </span>} 0068 0069 <span style="font-weight:bold;">condition</span>: 0070 <span style="color:#0057ae;">$hex_string</span> 0071 } 0072 0073 <span style="color:#898887;">// Text strings</span> 0074 0075 <span style="font-weight:bold;">rule</span> <span style="color:#644a9b;">CaseInsensitiveTextExample</span> 0076 { 0077 <span style="font-weight:bold;">strings</span>: 0078 <span style="color:#0057ae;">$text_string</span> = <span style="color:#bf0303;">"foobar"</span> <span style="font-weight:bold;">nocase</span> 0079 0080 <span style="font-weight:bold;">condition</span>: 0081 <span style="color:#0057ae;">$text_string</span> 0082 } 0083 0084 <span style="font-weight:bold;">rule</span> <span style="color:#644a9b;">WideCharTextExample</span> 0085 { 0086 <span style="font-weight:bold;">strings</span>: 0087 <span style="color:#0057ae;">$wide_and_ascii_string</span> = <span style="color:#bf0303;">"Borland"</span> <span style="font-weight:bold;">wide</span> <span style="font-weight:bold;">ascii</span> 0088 0089 <span style="font-weight:bold;">condition</span>: 0090 <span style="color:#0057ae;">$wide_and_ascii_string</span> 0091 } 0092 0093 <span style="color:#898887;">// XOR strings</span> 0094 0095 <span style="font-weight:bold;">rule</span> <span style="color:#644a9b;">XorExample1</span> 0096 { 0097 <span style="font-weight:bold;">strings</span>: 0098 <span style="color:#0057ae;">$xor_string</span> = <span style="color:#bf0303;">"This program cannot"</span> <span style="font-weight:bold;">xor</span> 0099 0100 <span style="font-weight:bold;">condition</span>: 0101 <span style="color:#0057ae;">$xor_string</span> 0102 } 0103 0104 <span style="font-weight:bold;">rule</span> <span style="color:#644a9b;">XorExample2</span> 0105 { 0106 <span style="font-weight:bold;">strings</span>: 0107 <span style="color:#0057ae;">$xor_string_00</span> = <span style="color:#bf0303;">"This program cannot"</span> 0108 <span style="color:#0057ae;">$xor_string_01</span> = <span style="color:#bf0303;">"Uihr!qsnfs`l!b`oonu"</span> 0109 <span style="color:#0057ae;">$xor_string_02</span> = <span style="color:#bf0303;">"Vjkq</span><span style="color:#3daee9;">\"</span><span style="color:#bf0303;">rpmepco</span><span style="color:#3daee9;">\"</span><span style="color:#bf0303;">acllmv"</span> 0110 <span style="color:#898887;">// Repeat for every single byte XOR</span> 0111 <span style="font-weight:bold;">condition</span>: 0112 <span style="font-weight:bold;">any</span> <span style="font-weight:bold;">of</span> <span style="font-weight:bold;">them</span> 0113 } 0114 0115 <span style="font-weight:bold;">rule</span> <span style="color:#644a9b;">XorExample3</span> 0116 { 0117 <span style="font-weight:bold;">strings</span>: 0118 <span style="color:#0057ae;">$xor_string</span> = <span style="color:#bf0303;">"This program cannot"</span> <span style="font-weight:bold;">xor</span> <span style="font-weight:bold;">wide</span> <span style="font-weight:bold;">ascii</span> 0119 <span style="font-weight:bold;">condition</span>: 0120 <span style="color:#0057ae;">$xor_string</span> 0121 } 0122 0123 <span style="font-weight:bold;">rule</span> <span style="color:#644a9b;">XorExample4</span> 0124 { 0125 <span style="font-weight:bold;">strings</span>: 0126 <span style="color:#0057ae;">$xor_string_00</span> = <span style="color:#bf0303;">"T</span><span style="color:#3daee9;">\x00</span><span style="color:#bf0303;">h</span><span style="color:#3daee9;">\x00</span><span style="color:#bf0303;">i</span><span style="color:#3daee9;">\x00</span><span style="color:#bf0303;">s</span><span style="color:#3daee9;">\x00</span><span style="color:#bf0303;"> </span><span style="color:#3daee9;">\x00</span><span style="color:#bf0303;">p</span><span style="color:#3daee9;">\x00</span><span style="color:#bf0303;">r</span><span style="color:#3daee9;">\x00</span><span style="color:#bf0303;">o</span><span style="color:#3daee9;">\x00</span><span style="color:#bf0303;">g</span><span style="color:#3daee9;">\x00</span><span style="color:#bf0303;">r</span><span style="color:#3daee9;">\x00</span><span style="color:#bf0303;">a</span><span style="color:#3daee9;">\x00</span><span style="color:#bf0303;">m</span><span style="color:#3daee9;">\x00</span><span style="color:#bf0303;"> </span><span style="color:#3daee9;">\x00</span><span style="color:#bf0303;">c</span><span style="color:#3daee9;">\x00</span><span style="color:#bf0303;">a</span><span style="color:#3daee9;">\x00</span><span style="color:#bf0303;">n</span><span style="color:#3daee9;">\x00</span><span style="color:#bf0303;">n</span><span style="color:#3daee9;">\x00</span><span style="color:#bf0303;">o</span><span style="color:#3daee9;">\x00</span><span style="color:#bf0303;">t</span><span style="color:#3daee9;">\x00</span><span style="color:#bf0303;">"</span> 0127 <span style="color:#0057ae;">$xor_string_01</span> = <span style="color:#bf0303;">"U</span><span style="color:#3daee9;">\x01</span><span style="color:#bf0303;">i</span><span style="color:#3daee9;">\x01</span><span style="color:#bf0303;">h</span><span style="color:#3daee9;">\x01</span><span style="color:#bf0303;">r</span><span style="color:#3daee9;">\x01</span><span style="color:#bf0303;">!</span><span style="color:#3daee9;">\x01</span><span style="color:#bf0303;">q</span><span style="color:#3daee9;">\x01</span><span style="color:#bf0303;">s</span><span style="color:#3daee9;">\x01</span><span style="color:#bf0303;">n</span><span style="color:#3daee9;">\x01</span><span style="color:#bf0303;">f</span><span style="color:#3daee9;">\x01</span><span style="color:#bf0303;">s</span><span style="color:#3daee9;">\x01</span><span style="color:#bf0303;">`</span><span style="color:#3daee9;">\x01</span><span style="color:#bf0303;">l</span><span style="color:#3daee9;">\x01</span><span style="color:#bf0303;">!</span><span style="color:#3daee9;">\x01</span><span style="color:#bf0303;">b</span><span style="color:#3daee9;">\x01</span><span style="color:#bf0303;">`</span><span style="color:#3daee9;">\x01</span><span style="color:#bf0303;">o</span><span style="color:#3daee9;">\x01</span><span style="color:#bf0303;">o</span><span style="color:#3daee9;">\x01</span><span style="color:#bf0303;">n</span><span style="color:#3daee9;">\x01</span><span style="color:#bf0303;">u</span><span style="color:#3daee9;">\x01</span><span style="color:#bf0303;">"</span> 0128 <span style="color:#0057ae;">$xor_string_02</span> = <span style="color:#bf0303;">"V</span><span style="color:#3daee9;">\x02</span><span style="color:#bf0303;">j</span><span style="color:#3daee9;">\x02</span><span style="color:#bf0303;">k</span><span style="color:#3daee9;">\x02</span><span style="color:#bf0303;">q</span><span style="color:#3daee9;">\x02\"\x02</span><span style="color:#bf0303;">r</span><span style="color:#3daee9;">\x02</span><span style="color:#bf0303;">p</span><span style="color:#3daee9;">\x02</span><span style="color:#bf0303;">m</span><span style="color:#3daee9;">\x02</span><span style="color:#bf0303;">e</span><span style="color:#3daee9;">\x02</span><span style="color:#bf0303;">p</span><span style="color:#3daee9;">\x02</span><span style="color:#bf0303;">c</span><span style="color:#3daee9;">\x02</span><span style="color:#bf0303;">o</span><span style="color:#3daee9;">\x02\"\x02</span><span style="color:#bf0303;">a</span><span style="color:#3daee9;">\x02</span><span style="color:#bf0303;">c</span><span style="color:#3daee9;">\x02</span><span style="color:#bf0303;">l</span><span style="color:#3daee9;">\x02</span><span style="color:#bf0303;">l</span><span style="color:#3daee9;">\x02</span><span style="color:#bf0303;">m</span><span style="color:#3daee9;">\x02</span><span style="color:#bf0303;">v</span><span style="color:#3daee9;">\x02</span><span style="color:#bf0303;">"</span> 0129 <span style="color:#898887;">// Repeat for every single byte XOR operation.</span> 0130 <span style="font-weight:bold;">condition</span>: 0131 <span style="font-weight:bold;">any</span> <span style="font-weight:bold;">of</span> <span style="font-weight:bold;">them</span> 0132 } 0133 0134 <span style="font-weight:bold;">rule</span> <span style="color:#644a9b;">XorExample5</span> 0135 { 0136 <span style="font-weight:bold;">strings</span>: 0137 <span style="color:#0057ae;">$xor_string</span> = <span style="color:#bf0303;">"This program cannot"</span> <span style="font-weight:bold;">xor</span>(<span style="color:#b08000;">0x01</span>-<span style="color:#b08000;">0xff</span>) 0138 <span style="font-weight:bold;">condition</span>: 0139 <span style="color:#0057ae;">$xor_string</span> 0140 } 0141 0142 <span style="color:#898887;">// Base64 strings</span> 0143 0144 <span style="font-weight:bold;">rule</span> <span style="color:#644a9b;">Base64Example1</span> 0145 { 0146 <span style="font-weight:bold;">strings</span>: 0147 <span style="color:#0057ae;">$a</span> = <span style="color:#bf0303;">"This program cannot"</span> <span style="font-weight:bold;">base64</span> 0148 0149 <span style="font-weight:bold;">condition</span>: 0150 <span style="color:#0057ae;">$a</span> 0151 } 0152 0153 <span style="font-weight:bold;">rule</span> <span style="color:#644a9b;">Base64Example2</span> 0154 { 0155 <span style="font-weight:bold;">strings</span>: 0156 <span style="color:#0057ae;">$a</span> = <span style="color:#bf0303;">"This program cannot"</span> <span style="font-weight:bold;">base64</span>(<span style="color:#bf0303;">"!@#$%^&*(){}[].,|ABCDEFGHIJ</span><span style="color:#3daee9;">\x09</span><span style="color:#bf0303;">LMNOPQRSTUVWXYZabcdefghijklmnopqrstu"</span>) 0157 0158 <span style="font-weight:bold;">condition</span>: 0159 <span style="color:#0057ae;">$a</span> 0160 } 0161 0162 <span style="color:#898887;">// Regular expressions</span> 0163 0164 <span style="font-weight:bold;">rule</span> <span style="color:#644a9b;">RegExpExample1</span> 0165 { 0166 <span style="font-weight:bold;">strings</span>: 0167 <span style="color:#0057ae;">$re1</span> = <span style="color:#ff5500;">/</span><span style="color:#ff5500;">md5: </span><span style="color:#3daee9;">[0-9a-fA-F]</span><span style="color:#3daee9;">{32}</span><span style="color:#ff5500;">/</span> 0168 <span style="color:#0057ae;">$re2</span> = <span style="color:#ff5500;">/</span><span style="color:#ff5500;">state: </span><span style="color:#3daee9;">(</span><span style="color:#ff5500;">on</span><span style="color:#3daee9;">|</span><span style="color:#ff5500;">off</span><span style="color:#3daee9;">)</span><span style="color:#ff5500;">/</span> 0169 0170 <span style="font-weight:bold;">condition</span>: 0171 <span style="color:#0057ae;">$re1</span> <span style="font-weight:bold;">and</span> <span style="color:#0057ae;">$re2</span> 0172 } 0173 0174 <span style="color:#898887;">// Conditions</span> 0175 0176 <span style="font-weight:bold;">rule</span> <span style="color:#644a9b;">Example</span> 0177 { 0178 <span style="font-weight:bold;">strings</span>: 0179 <span style="color:#0057ae;">$a</span> = <span style="color:#bf0303;">"text1"</span> 0180 <span style="color:#0057ae;">$b</span> = <span style="color:#bf0303;">"text2"</span> 0181 <span style="color:#0057ae;">$c</span> = <span style="color:#bf0303;">"text3"</span> 0182 <span style="color:#0057ae;">$d</span> = <span style="color:#bf0303;">"text4"</span> 0183 0184 <span style="font-weight:bold;">condition</span>: 0185 (<span style="color:#0057ae;">$a</span> <span style="font-weight:bold;">or</span> <span style="color:#0057ae;">$b</span>) <span style="font-weight:bold;">and</span> (<span style="color:#0057ae;">$c</span> <span style="font-weight:bold;">or</span> <span style="color:#0057ae;">$d</span>) 0186 } 0187 0188 <span style="font-weight:bold;">rule</span> <span style="color:#644a9b;">CountExample</span> 0189 { 0190 <span style="font-weight:bold;">strings</span>: 0191 <span style="color:#0057ae;">$a</span> = <span style="color:#bf0303;">"dummy1"</span> 0192 <span style="color:#0057ae;">$b</span> = <span style="color:#bf0303;">"dummy2"</span> 0193 0194 <span style="font-weight:bold;">condition</span>: 0195 #a == <span style="color:#b08000;">6</span> <span style="font-weight:bold;">and</span> #b > <span style="color:#b08000;">10</span> 0196 } 0197 0198 0199 <span style="font-weight:bold;">rule</span> <span style="color:#644a9b;">AtExample</span> 0200 { 0201 <span style="font-weight:bold;">strings</span>: 0202 <span style="color:#0057ae;">$a</span> = <span style="color:#bf0303;">"dummy1"</span> 0203 <span style="color:#0057ae;">$b</span> = <span style="color:#bf0303;">"dummy2"</span> 0204 0205 <span style="font-weight:bold;">condition</span>: 0206 <span style="color:#0057ae;">$a</span> <span style="font-weight:bold;">at</span> <span style="color:#b08000;">100</span> <span style="font-weight:bold;">and</span> <span style="color:#0057ae;">$b</span> <span style="font-weight:bold;">at</span> <span style="color:#b08000;">200</span> 0207 } 0208 0209 <span style="font-weight:bold;">rule</span> <span style="color:#644a9b;">InExample</span> 0210 { 0211 <span style="font-weight:bold;">strings</span>: 0212 <span style="color:#0057ae;">$a</span> = <span style="color:#bf0303;">"dummy1"</span> 0213 <span style="color:#0057ae;">$b</span> = <span style="color:#bf0303;">"dummy2"</span> 0214 0215 <span style="font-weight:bold;">condition</span>: 0216 <span style="color:#0057ae;">$a</span> <span style="font-weight:bold;">in</span> (<span style="color:#b08000;">0..100</span>) <span style="font-weight:bold;">and</span> <span style="color:#0057ae;">$b</span> <span style="font-weight:bold;">in</span> (<span style="color:#b08000;">100.</span>.<span style="font-weight:bold;">filesize</span>) 0217 } 0218 0219 <span style="color:#898887;">// File size</span> 0220 0221 <span style="font-weight:bold;">rule</span> <span style="color:#644a9b;">FileSizeExample</span> 0222 { 0223 <span style="font-weight:bold;">condition</span>: 0224 <span style="font-weight:bold;">filesize</span> > <span style="color:#b08000;">200</span>KB 0225 } 0226 0227 <span style="color:#898887;">// Executable entry point</span> 0228 0229 <span style="font-weight:bold;">rule</span> <span style="color:#644a9b;">EntryPointExample</span> 0230 { 0231 <span style="font-weight:bold;">strings</span>: 0232 <span style="color:#0057ae;">$a</span> = {<span style="color:#ff5500;"> 9C 50 66 A1 ?? ?? ?? 00 66 A9 ?? ?? 58 0F 85 </span>} 0233 0234 <span style="font-weight:bold;">condition</span>: 0235 <span style="color:#0057ae;">$a</span> <span style="font-weight:bold;">in</span> (<span style="font-weight:bold;">entrypoint</span>..<span style="font-weight:bold;">entrypoint</span> + <span style="color:#b08000;">10</span>) 0236 } 0237 0238 0239 <span style="color:#898887;">// Accessing data at a given position</span> 0240 0241 <span style="font-weight:bold;">rule</span> <span style="color:#644a9b;">IsPE</span> 0242 { 0243 <span style="font-weight:bold;">condition</span>: 0244 <span style="color:#898887;">// MZ signature at offset 0 and ...</span> 0245 <span style="font-weight:bold;">uint16</span>(<span style="color:#b08000;">0</span>) == <span style="color:#b08000;">0x5A4D</span> <span style="font-weight:bold;">and</span> 0246 <span style="color:#898887;">// ... PE signature at offset stored in MZ header at 0x3C</span> 0247 <span style="font-weight:bold;">uint32</span>(<span style="font-weight:bold;">uint32</span>(<span style="color:#b08000;">0x3C</span>)) == <span style="color:#b08000;">0x00004550</span> 0248 } 0249 0250 <span style="color:#898887;">// Sets of strings</span> 0251 0252 <span style="font-weight:bold;">rule</span> <span style="color:#644a9b;">OfExample1</span> 0253 { 0254 <span style="font-weight:bold;">strings</span>: 0255 <span style="color:#0057ae;">$a</span> = <span style="color:#bf0303;">"dummy1"</span> 0256 <span style="color:#0057ae;">$b</span> = <span style="color:#bf0303;">"dummy2"</span> 0257 <span style="color:#0057ae;">$c</span> = <span style="color:#bf0303;">"dummy3"</span> 0258 0259 <span style="font-weight:bold;">condition</span>: 0260 <span style="color:#b08000;">2</span> <span style="font-weight:bold;">of</span> (<span style="color:#0057ae;">$a</span>,<span style="color:#0057ae;">$b</span>,<span style="color:#0057ae;">$c</span>) 0261 } 0262 0263 <span style="font-weight:bold;">rule</span> <span style="color:#644a9b;">OfExample2</span> 0264 { 0265 <span style="font-weight:bold;">strings</span>: 0266 <span style="color:#0057ae;">$foo1</span> = <span style="color:#bf0303;">"foo1"</span> 0267 <span style="color:#0057ae;">$foo2</span> = <span style="color:#bf0303;">"foo2"</span> 0268 <span style="color:#0057ae;">$foo3</span> = <span style="color:#bf0303;">"foo3"</span> 0269 0270 <span style="font-weight:bold;">condition</span>: 0271 <span style="color:#b08000;">2</span> <span style="font-weight:bold;">of</span> (<span style="color:#0057ae;">$foo</span>*) <span style="color:#898887;">// equivalent to 2 of ($foo1,$foo2,$foo3)</span> 0272 } 0273 0274 <span style="font-weight:bold;">rule</span> <span style="color:#644a9b;">OfExample3</span> 0275 { 0276 <span style="font-weight:bold;">strings</span>: 0277 <span style="color:#0057ae;">$a</span> = <span style="color:#bf0303;">"dummy1"</span> 0278 <span style="color:#0057ae;">$b</span> = <span style="color:#bf0303;">"dummy2"</span> 0279 <span style="color:#0057ae;">$c</span> = <span style="color:#bf0303;">"dummy3"</span> 0280 0281 <span style="font-weight:bold;">condition</span>: 0282 <span style="color:#b08000;">1</span> <span style="font-weight:bold;">of</span> <span style="font-weight:bold;">them</span> <span style="color:#898887;">// equivalent to 1 of ($*)</span> 0283 } 0284 0285 <span style="color:#898887;">// Iterating over string occurrences</span> 0286 0287 <span style="font-weight:bold;">rule</span> <span style="color:#644a9b;">Occurrences</span> 0288 { 0289 <span style="font-weight:bold;">strings</span>: 0290 <span style="color:#0057ae;">$a</span> = <span style="color:#bf0303;">"dummy1"</span> 0291 <span style="color:#0057ae;">$b</span> = <span style="color:#bf0303;">"dummy2"</span> 0292 0293 <span style="font-weight:bold;">condition</span>: 0294 <span style="font-weight:bold;">for</span> <span style="font-weight:bold;">all</span> i <span style="font-weight:bold;">in</span> (<span style="color:#b08000;">1</span>,<span style="color:#b08000;">2</span>,<span style="color:#b08000;">3</span>) : ( @a[i] + <span style="color:#b08000;">10</span> == @b[i] ) 0295 } 0296 0297 <span style="color:#898887;">// Referencing other rules</span> 0298 0299 <span style="font-weight:bold;">rule</span> <span style="color:#644a9b;">Rule1</span> 0300 { 0301 <span style="font-weight:bold;">strings</span>: 0302 <span style="color:#0057ae;">$a</span> = <span style="color:#bf0303;">"dummy1"</span> 0303 0304 <span style="font-weight:bold;">condition</span>: 0305 <span style="color:#0057ae;">$a</span> 0306 } 0307 0308 <span style="font-weight:bold;">rule</span> <span style="color:#644a9b;">Rule2</span> 0309 { 0310 <span style="font-weight:bold;">strings</span>: 0311 <span style="color:#0057ae;">$a</span> = <span style="color:#bf0303;">"dummy2"</span> 0312 0313 <span style="font-weight:bold;">condition</span>: 0314 <span style="color:#0057ae;">$a</span> <span style="font-weight:bold;">and</span> Rule1 0315 } 0316 0317 <span style="color:#898887;">// Metadata</span> 0318 0319 <span style="font-weight:bold;">rule</span> <span style="color:#644a9b;">MetadataExample</span> 0320 { 0321 <span style="font-weight:bold;">meta</span>: 0322 my_identifier_1 = <span style="color:#bf0303;">"Some string data"</span> 0323 my_identifier_2 = <span style="color:#b08000;">24</span> 0324 my_identifier_3 = <span style="color:#aa5500;">true</span> 0325 0326 <span style="font-weight:bold;">strings</span>: 0327 <span style="color:#0057ae;">$my_text_string</span> = <span style="color:#bf0303;">"text here"</span> 0328 <span style="color:#0057ae;">$my_hex_string</span> = {<span style="color:#ff5500;"> E2 34 A1 C8 23 FB </span>} 0329 0330 <span style="font-weight:bold;">condition</span>: 0331 <span style="color:#0057ae;">$my_text_string</span> <span style="font-weight:bold;">or</span> <span style="color:#0057ae;">$my_hex_string</span> 0332 } 0333 0334 <span style="color:#898887;">// External variables</span> 0335 0336 <span style="font-weight:bold;">rule</span> <span style="color:#644a9b;">ExternalVariableExample1</span> 0337 { 0338 <span style="font-weight:bold;">condition</span>: 0339 ext_var == <span style="color:#b08000;">10</span> 0340 } 0341 0342 <span style="font-weight:bold;">rule</span> <span style="color:#644a9b;">ExternalVariableExample2</span> 0343 { 0344 <span style="font-weight:bold;">condition</span>: 0345 bool_ext_var <span style="font-weight:bold;">or</span> <span style="font-weight:bold;">filesize</span> < int_ext_var 0346 } 0347 0348 <span style="font-weight:bold;">rule</span> <span style="color:#644a9b;">ExternalVariableExample3</span> 0349 { 0350 <span style="font-weight:bold;">condition</span>: 0351 string_ext_var <span style="font-weight:bold;">contains</span> <span style="color:#bf0303;">"text"</span> 0352 } 0353 0354 <span style="font-weight:bold;">rule</span> <span style="color:#644a9b;">ExternalVariableExample4</span> 0355 { 0356 <span style="font-weight:bold;">condition</span>: 0357 string_ext_var <span style="font-weight:bold;">matches</span> <span style="color:#ff5500;">/</span><span style="color:#3daee9;">[a-z]</span><span style="color:#3daee9;">+</span><span style="color:#ff5500;">/</span> 0358 } 0359 0360 <span style="font-weight:bold;">rule</span> <span style="color:#644a9b;">ExternalVariableExample5</span> 0361 { 0362 <span style="font-weight:bold;">condition</span>: 0363 <span style="color:#898887;">/* case insensitive single-line mode */</span> 0364 string_ext_var <span style="font-weight:bold;">matches</span> <span style="color:#ff5500;">/</span><span style="color:#3daee9;">[a-z]</span><span style="color:#3daee9;">+</span><span style="color:#ff5500;">/is</span> 0365 } 0366 0367 <span style="color:#898887;">// Including files</span> 0368 0369 <span style="font-weight:bold;">include</span> <span style="color:#bf0303;">"other.yar"</span> 0370 <span style="font-weight:bold;">include</span> <span style="color:#bf0303;">"./includes/other.yar"</span> 0371 <span style="font-weight:bold;">include</span> <span style="color:#bf0303;">"../includes/other.yar"</span> 0372 </pre></body></html>