Just starting out with yara and running into some issues. When I run yara to test a rule that I am working on (this rule will look at .eml files), I write the results to a file. When I look at the file I wrote to, nothing is there. Here is my rule.
rule test {
strings:
$text_a = "WORD"
$everyone = "everyone@domain.com"
$return_path = /^\<everyone([.]+)\@domain\.com\>$/
$user_a = "usera@domain.com"
$user_b = "userb@domain.com"
condition:
any of ($user*) and ($text_a and $allstaff and $return_path)
}
My data set has usera@domain.com, "WORD", and the return path variable.
The regex in the return path variable has the word "everyone", some random characters, then the domain. When I run this in a terminal, no errors are thrown. When I write to a file nothing is in the file.
yara -s test.yara dataset > text.txt
If I run the same command with the -n flag, I then get results. I am not sure if my logic, regex, or understanding of the flags are wrong. Any guidance would be helpful!
