[英]Matching Simple IP addresses in YARA using Hexadecimal Strings
I am trying to write YARA rules to match simple IP Addresses (eg: 127.0.0.1 or 192.168.1.1).我正在尝试编写 YARA 规则来匹配简单的 IP 地址(例如:127.0.0.1 或 192.168.1.1)。 I understand that I can do it using Regular Expressions based on this open-source Github example .
我知道我可以使用基于这个开源 Github示例的正则表达式来做到这一点。
However, YARA performance guidelines recommends us to avoid Regular Expressions whenever possible and use Hexadecimal Jumps/Wildcard matching instead, as stated in this Github Readme .但是,YARA 性能指南建议我们尽可能避免使用正则表达式,而是使用十六进制跳转/通配符匹配,如Github 自述文件中所述。 I am using it on a large number of examples so I was keeping performance in mind.
我在大量示例中使用它,因此我始终牢记性能。
I was wondering, does YARA need to get the IP in a hex format, or can I directly match it in the normal IP format ( xxxx
)?我想知道,YARA 是否需要获取十六进制格式的 IP,或者我可以直接匹配正常的 IP 格式(
xxxx
)吗?
I was trying something like:我正在尝试类似的东西:
rule url_localhost
{
strings:
$hex_test = { [1-3] 2E [1-3] 2E [1-3] 2E [1-3] ?? ?? }
condition:
any of them
}
My logic was something like 3 numbers to start, then a dot (2E in ASCII), and repeating the same, and having wildcards in the end for a potential 'path' in the IP address (eg: 127.0.0.1/p
)我的逻辑是从 3 个数字开始,然后是一个点(ASCII 中的 2E),然后重复相同的操作,最后使用通配符表示 IP 地址中的潜在“路径”(例如:
127.0.0.1/p
)
It does not seem to directly work.好像不能直接用。 Is this kind of use-case possible, or is Regex the only way to approach this?
这种用例是否可能,或者正则表达式是解决这个问题的唯一方法吗?
I am not sure why, but it seems you cannot start or end your hex string with a jump ([]).我不确定为什么,但似乎你不能用跳转 ([]) 开始或结束你的十六进制字符串。
I got this to work:我得到这个工作:
rule url_localhost{
strings:
$hex_test = { ?? [0-2] 2E [1-3] 2E [1-3] 2E }
condition:
$hex_test
}
However, I still get a warning that the rule is slowing down the scan.但是,我仍然收到一条警告,指出该规则正在减慢扫描速度。 I have not done any testing of this method vs. regex, but I would think they are doing pretty much the same under the hood.
我没有对这种方法与正则表达式进行过任何测试,但我认为它们在幕后所做的几乎相同。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.