Concatenating YARA rules in different format

Question

I need to be able to match URLs in a dump file, surrounded by a certain byte pattern. I wrote the following YARA rule for that:

rule yara_rule
    {
        strings:
            $beg = { 00 00 01 }
            $domain = /http[s]?:\/\/(www\.)?[-a-zA-Z0-9]+\.[-a-zA-Z0-9]+\/[-a-zA-Z0-9%#\?=&\.\/:\+_]*/
            $end = { 00 }

        condition:
            ???
    }

I need a way for concat those 3 pieces together, but I cannot figure out a way. Can you help?

score 0 · Answer 1 · answered Jan 15 '20 at 09:00

0

You need to specify condition like

    condition:
        $beg and $domain and $end

answered Jan 15 '20 at 09:00

pavithran G

112
2
13

Concatenating YARA rules in different format

1 Answers1