堆栈内存溢出
  简体   繁体   English

使用十六进制字符串在 YARA 中匹配简单 IP 地址

[英]Matching Simple IP addresses in YARA using Hexadecimal Strings

 原文  2022-07-26 19:28:53       hex/ payara/ yara

问题描述

I am trying to write YARA rules to match simple IP Addresses (eg: 127.0.0.1 or 192.168.1.1).我正在尝试编写 YARA 规则来匹配简单的 IP 地址(例如:127.0.0.1 或 192.168.1.1)。 I understand that I can do it using Regular Expressions based on this open-source Github example .我知道我可以使用基于这个开源 Github示例的正则表达式来做到这一点。

However, YARA performance guidelines recommends us to avoid Regular Expressions whenever possible and use Hexadecimal Jumps/Wildcard matching instead, as stated in this Github Readme .但是,YARA 性能指南建议我们尽可能避免使用正则表达式,而是使用十六进制跳转/通配符匹配,如Github 自述文件中所述。 I am using it on a large number of examples so I was keeping performance in mind.我在大量示例中使用它,因此我始终牢记性能。

I was wondering, does YARA need to get the IP in a hex format, or can I directly match it in the normal IP format ( xxxx )?我想知道,YARA 是否需要获取十六进制格式的 IP,或者我可以直接匹配正常的 IP 格式( xxxx )吗?

I was trying something like:我正在尝试类似的东西:

rule url_localhost
{
    strings:
        $hex_test = { [1-3] 2E [1-3] 2E [1-3] 2E [1-3] ?? ?? }
    condition:
        any of them
}

My logic was something like 3 numbers to start, then a dot (2E in ASCII), and repeating the same, and having wildcards in the end for a potential 'path' in the IP address (eg: 127.0.0.1/p )我的逻辑是从 3 个数字开始,然后是一个点(ASCII 中的 2E),然后重复相同的操作,最后使用通配符表示 IP 地址中的潜在“路径”(例如: 127.0.0.1/p

It does not seem to directly work.好像不能直接用。 Is this kind of use-case possible, or is Regex the only way to approach this?这种用例是否可能,或者正则表达式是解决这个问题的唯一方法吗?

1 个解决方案

解决方案1
 1 已采纳  2022-12-15 11:40:53

I am not sure why, but it seems you cannot start or end your hex string with a jump ([]).我不确定为什么,但似乎你不能用跳转 ([]) 开始或结束你的十六进制字符串。

I got this to work:我得到这个工作:

rule url_localhost{
    strings:
        $hex_test = { ?? [0-2] 2E [1-3] 2E [1-3] 2E }
    condition:
        $hex_test
    }

However, I still get a warning that the rule is slowing down the scan.但是,我仍然收到一条警告,指出该规则正在减慢扫描速度。 I have not done any testing of this method vs. regex, but I would think they are doing pretty much the same under the hood.我没有对这种方法与正则表达式进行过任何测试,但我认为它们在幕后所做的几乎相同。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 为什么用十六进制数字表示内存地址? - Why are memory addresses are represented using hexadecimal numbers? 了解十六进制和 Memory 地址 - Understanding Hexadecimal and Memory addresses 在C ++中使用十六进制字符串的按位函数AND,OR和XOR - Bitwise functions AND, OR and XOR using hexadecimal Strings in C ++ 有一种简单的方法可以使用带有十六进制字符串的QVariant类吗? - Is there an easy way of using the QVariant class with hexadecimal strings? 在文件中存储十六进制地址 - Storing hexadecimal addresses in a file 是否有使用SQL Server / TSQL进行十六进制算术的简单方法? - Is there a simple way to do hexadecimal arithmetic using sql server/TSQL? 十六进制值作为字符串C - Hexadecimal values as Strings C 用于匹配十六进制数的正则表达式? - Regex for matching hexadecimal numbers? 如何在不使用字符串的情况下删除 integer 数字的第 n 个十六进制数字? - How to remove the nth hexadecimal digit of a integer number without using Strings? 将字符串转换为十六进制字符串 - Converting strings into a hexadecimal string
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM