0

Want to write a Yara rule that fires on a range of strings hitting. E.g.:

$rrr = "shell"

$var1 = "cheese"
$var2 = "beef"
$var3 = "chicken"

condition:

$rrr and ($var*) > 2

Can't seem to get anything like this to compile.

Tried the above, tried other various regexs and assorted nonsense.

Ken White
  • 123,280
  • 14
  • 225
  • 444
SpookKook
  • 1

1 Answers1

0

It's not completely clear what you are going for with your sample above, but here are two options:

$rrr and (#var1+#var2+#var3) >= 2
  • Will match on "shell cheese cheese"

--Or--

$rrr and (2 of ($var*))
  • Will match on "shell cheese beef"
  • But not "shell cheese cheese"
josh poley
  • 7,236
  • 1
  • 25
  • 25