Reputation: 1
Yara rule for searching in an eml file
Just starting out with yara and running into some issues. When I run yara to test a rule that I am working on (this rule will look at .eml files), I write the results to a file. When I look at the file I wrote to, nothing is there. Here is my rule.
rule test {
strings:
$text_a = "WORD"
$everyone = "[email protected]"
$return_path = /^\<everyone([.]+)\@domain\.com\>$/
$user_a = "[email protected]"
$user_b = "[email protected]"
condition:
any of ($user*) and ($text_a and $allstaff and $return_path)
}
My data set has [email protected], "WORD", and the return path variable.
The regex in the return path variable has the word "everyone", some random characters, then the domain. When I run this in a terminal, no errors are thrown. When I write to a file nothing is in the file.
yara -s test.yara dataset > text.txt
If I run the same command with the -n flag, I then get results. I am not sure if my logic, regex, or understanding of the flags are wrong. Any guidance would be helpful!
Upvotes: 0
Views: 492
Answers (1)
Reputation: 1
I probably should have just read the documentation lol. Yara doesn't use all regex character classes.
Upvotes: 0
Related Questions
- How can I use pe.entry_point to write YARA rules?
- How to search if a particular word exists in keys in yml file using yq
- Yara Rule - Regex - syntax error: unexpected ')'
- Yara Rule - Regex - Matching Wildcard
- Solr Exact match filtering
- How to search a particular string and content in a yaml file
- Matching with similar rules in yacc
- Solr - Can't search when term ends with "y"
- Writing yara rules in Python
- Returning query results within rules (when clause of drl file) in drools