yara icon indicating copy to clipboard operation
yara copied to clipboard
verified publisher icon VirusTotal

Does Yara regex rule support the multi-line option?

Open patternhelloworld opened this issue 6 years ago • 4 comments

In regex, setting regex options to "multiline" means that "^" matches the start of each line and "$" matches the end of each line. But Yara rules does not seem to support it. For example, this does not work. Is there any ways to solve the issue?

rule PinenoteSolo { strings: $a= /^{"[0-9]+?.hocr.+?2Ta家$/ wide ascii

condition: $a }

patternhelloworld avatar Aug 16 '19 02:08 patternhelloworld

No, YARA regexps don't support multi-line mode. This feature could be implemented I think, I haven't thought about the ramifications yet, but I think it's possible.

plusvic avatar Aug 16 '19 08:08 plusvic

@plusvic I was having a difficult time writing yara rules because of lack of this feature. I just wanted to know if this will be prioritized any time soon.

ag-michael avatar May 25 '21 18:05 ag-michael

I would like to see multi-line support added for regex as well. YARA is being widely adopted, and should be updated to support string matching across newlines. My most recent specific use-case where this is needed, is with KnowBe4:PhishER

LinkMJB avatar Aug 10 '21 20:08 LinkMJB