在yara中使用哈希元数据
[英]Use of hash metadata in yara
问题描述
The metadata section of a yara rule often has one or more hashes. 
yara规则的元数据部分通常具有一个或多个哈希。 Ex: hash = "27a0a98053f3eed82a51cdefbdfec7bb948e1f36" there can sometimes be 100 or more of these. 例如:hash =“ 27a0a98053f3eed82a51cdefbdfec7bb948e1f36”有时可以有100个或更多。 How are they used, if at all? 如果有的话,如何使用它们? The yara docs and google searches make no mention of them. yara docs和google搜索未提及它们。 Are they MD5's, SHA-1's or something else? 它们是MD5,SHA-1还是其他? Will yara flag files with hashes that match? yara会标记具有匹配哈希值的文件吗? Automatically without the rule telling it to? 自动地没有规则告诉它吗? Yara as a hash library and a hash.md5() ftn for this purpose so why are these in the metadata? 将Yara用作哈希库,并为此使用hash.md5()ftn,为什么要在元数据中使用它们? Thanks for any help. 谢谢你的帮助。
1 个解决方案
解决方案1
0 2017-01-06 10:24:10
According to http://yara.readthedocs.io/en/latest/writingrules.html#metadata 根据http://yara.readthedocs.io/en/latest/writingrules.html#metadata
Note that identifier/value pairs defined in the metadata section can not be used in the condition section, their only purpose is to store additional information about the rule.
So in the cases you refer to, Yara itself doesn't use them. 因此,在您提到的情况下,Yara本身并不使用它们。 However, another application (such as python-yara) might interpret them and base its own actions on meta data. 但是,另一个应用程序(例如python-yara)可能会解释它们并将其自己的操作基于元数据。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.