0

I'm working to write a regex pattern that will search through multiple YARA rules within the same file. The pattern I've come up with already matches each YARA rule individually from beginning to end across multiple lines. Now I want to match the entire YARA rule, and each one individually, but only if it contains the string "BANANAS" somewhere within the rule.

The problem I'm now having is that my regex matches from the beginning of a YARA rule all the way to the end of the YARA rule that does contain the string "BANANAS", BUT it also grabs every YARA rule in between the start and end points that DO NOT contain "BANANAS". What am I missing to only grab the rules that contain my specified string?

These are the current regex patterns I'm using:

^rule\s[\s\S]*?^\}$
^rule\s[\s\S]*?(?=BANANAS)[\s\S]*?^\}$

The first pattern matches each individual YARA rule from beginning to end. The second pattern contains the lookahead and is attempting to match each YARA rule only if it contains the specified string.

To clarify, I want to avoid using any built in app functions for multiline matching. Which is why I'm using [\s\S]* instead of .*

I'm using the above regex pattern to match on the text below as an example. The string "BANANAS" that I'm specifying is located in the <description = "foo"> field within the YARA rules below.

Picture of Failed results

rule RULENAME
{
    meta:
        author = "abcdef"
        last_update = "abcdef"
        description = "TURKEY"
        hash = "abcdef" //dumped
    strings:
        $mz = "MZ"
        $low0 = "malware" ascii wide
        $low1 = "hello world" ascii wide
        $low2 = "sus" wide
        $low3 = "keyLogger" wide
        $low4 = "bot" wide
        $low5 = "usb" wide
    condition:
        $mz at 0 and ((3 of ($low*))
}
rule RULENAME
{
    meta:
        author = "abcdef"
        last_update = "abcdef"
        description = "BANANAS"
        hash = "abcdef" //dumped
    strings:
        $mz = "MZ"
        $low0 = "malware" ascii wide
        $low1 = "hello world" ascii wide
        $low2 = "sus" wide
        $low3 = "keyLogger" wide
        $low4 = "bot" wide
        $low5 = "usb" wide
    condition:
        $mz at 0 and ((3 of ($low*))
}
rule RULENAME
{
    meta:
        author = "abcdef"
        last_update = "abcdef"
        description = "CHICKEN"
        hash = "abcdef" //dumped
    strings:
        $mz = "MZ"
        $low0 = "malware" ascii wide
        $low1 = "hello world" ascii wide
        $low2 = "sus" wide
        $low3 = "keyLogger" wide
        $low4 = "bot" wide
        $low5 = "usb" wide
    condition:
        $mz at 0 and ((3 of ($low*))
}
InSync
  • 4,851
  • 4
  • 8
  • 30
rilo
  • 1
  • 1

1 Answers1

1

I think this could work:

^rule\s[^}]*BANANAS[^}]*?^}$

I didn't manage to reproduce your screenshot, but that looks like it's matching two rules because a single match can span multiple rules, so it started from the first rule and then matched up to the end of the rule with BANANAS in it. If you would have BANANAS as the bottom rule you would probably see it match all of the 3 rules in your example. I replaced [\s\S] with [^}] to prevent this.

Liselot
  • 21
  • 3