0

I'm new to YARA rules and I wanted to build something really simple, a regex to match a hostname naming convention in my company.
Something like: /AX[BCD][EFG](?=.*\d)[A-Z0-9]{5}/ where the last five characters HAVE TO have at least one digit.
Is there a way to "translate" this to YARA? Keeping in mind that only basic constructs are supported:

  • Alternation (|)
  • Concatenation
  • Repetition (, ?, +, +?, ?, ??, {digit,digit}, {digit*,digit*}?, {digit+})
  • Boundaries (\b, \B, ^, $)
  • Grouping ((, ))
  • Character classes (., \w, \W, \s, \S, \d, \D, [...], [^...])
  • Hex escapes (\xHH)
  • Normal escapes (\ + any special character)
  • Anything else is a literal or illegal

Thanks!

BeQuietAndDrive
  • 1

2 Answers2

1

You can write the pattern with a grouping and alternation matching 5 characters checking for a digit on every position.

AX[BCD][EFG](\d[A-Z\d]{4}|[A-Z\d]\d[A-Z\d]{3}|[A-Z\d]{2}\d[A-Z\d]{2}|[A-Z\d]{3}\d[A-Z\d]|[A-Z\d]{4}\d)

If you don't want a partial match but match 9 characters in total, you can append anchors around the pattern:

^AX[BCD][EFG](\d[A-Z\d]{4}|[A-Z\d]\d[A-Z\d]{3}|[A-Z\d]{2}\d[A-Z\d]{2}|[A-Z\d]{3}\d[A-Z\d]|[A-Z\d]{4}\d)$

Regex demo

The fourth bird
  • 154,723
  • 16
  • 55
  • 70
  • 1
    Thank you so much! The first pattern works like a charm. On top of that if you need more than 5 characters, for example 10 than the patter will look like: AX[BCD][EFG](\d[A-Z\d]{9}|[A-Z\d]\d[A-Z\d]{8}|[A-Z\d]{2}\d[A-Z\d]{7}|[A-Z\d]{3}\d[A-Z\d]{6}|[A-Z\d]{4}\d[A-Z\d]{5}|[A-Z\d]{5}\d[A-Z\d]{4}|[A-Z\d]{6}\d[A-Z\d]{3}|[A-Z\d]{7}\d[A-Z\d]{2}|[A-Z\d]{8}\d[A-Z\d]|[A-Z\d]{9}\d) – BeQuietAndDrive Sep 21 '22 at 10:19
  • @BeQuietAndDrive You are welcome, glad that it worked out. If the answer helped solving the question, feel free to accept the answer. – The fourth bird Sep 21 '22 at 10:32
0

If length is known to be correct (that is the regex doesn't need to assert length):

/AX[BCD][EFG][A-Z\d]*\d[A-Z\d]*
Bohemian
  • 412,405
  • 93
  • 575
  • 722