Yara Strings without New Line

Asked May 09 '21 at 01:54

Active May 09 '21 at 04:26

Viewed 191 times

Do Yara strings need to be on different lines? For example, a typical Yara rule would be made like this

rule DoSomething 
{

     strings:
        $hello = "hello"
        $world = "world" ascii nocase wide
     condition:
        any of them
}

However, could it be written like this instead?

rule DoSomething
{

     strings:
        $hello = "hello" $world = "world" ascii nocase wide
     condition:
        any of them
}

edited May 09 '21 at 04:26

DYZ

asked May 09 '21 at 01:54

hashmaster

Have you tried? What happened? – DYZ May 09 '21 at 04:26
@DYZ nothing has “happened” per say I just wanted to verify that would work without the new lines. I am creating a database of yara rules so that when my program queries this database it can build and compile the rules in memory. Just wanted to get insight if that second string $world is being compiled as its own string, or if yara is able to identify those as 2 separate strings – hashmaster May 09 '21 at 04:39

0 Answers0