0

I am trying to write YARA rules to match simple IP Addresses (eg: 127.0.0.1 or 192.168.1.1). I understand that I can do it using Regular Expressions based on this open-source Github example.

However, YARA performance guidelines recommends us to avoid Regular Expressions whenever possible and use Hexadecimal Jumps/Wildcard matching instead, as stated in this Github Readme. I am using it on a large number of examples so I was keeping performance in mind.

I was wondering, does YARA need to get the IP in a hex format, or can I directly match it in the normal IP format (x.x.x.x)?

I was trying something like:

rule url_localhost
{
    strings:
        $hex_test = { [1-3] 2E [1-3] 2E [1-3] 2E [1-3] ?? ?? }
    condition:
        any of them
}

My logic was something like 3 numbers to start, then a dot (2E in ASCII), and repeating the same, and having wildcards in the end for a potential 'path' in the IP address (eg: 127.0.0.1/p)

It does not seem to directly work. Is this kind of use-case possible, or is Regex the only way to approach this?

Wiktor Stribiżew
  • 607,720
  • 39
  • 448
  • 563
Arka Mukherjee
  • 2,083
  • 1
  • 13
  • 27

1 Answers1

1

I am not sure why, but it seems you cannot start or end your hex string with a jump ([]).

I got this to work:

rule url_localhost{
    strings:
        $hex_test = { ?? [0-2] 2E [1-3] 2E [1-3] 2E }
    condition:
        $hex_test
    }

However, I still get a warning that the rule is slowing down the scan. I have not done any testing of this method vs. regex, but I would think they are doing pretty much the same under the hood.

Thry
  • 26
  • 3
  • Thanks for the answer! Indeed it's strange that we can't end or start with a jump, I ended up using something similar in my application. – Arka Mukherjee Dec 15 '22 at 23:52