Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support case insenstive strings in yara rules #48

Closed
msm-code opened this issue Apr 5, 2020 · 1 comment · Fixed by #136
Closed

Support case insenstive strings in yara rules #48

msm-code opened this issue Apr 5, 2020 · 1 comment · Fixed by #136
Assignees
@msm-code
Labels
needs more design Non-trivial design issues invoved. Ask maintainers before working on
Milestone
v1.2.0

Comments

@msm-code
Copy link
Contributor

msm-code commented Apr 5, 2020

Right now, we just ignore strings with the nocase flag:

rule CaseInsensitiveTextExample
{
    strings:
        $text_string = "foobar" nocase

    condition:
        $text_string
}

Supporting them correctly is... harder than it looks like. This can match:

foobar
foobaR
foobAr
foobAR
fooBar
... and 59 strings more

and ursadb query language is not expressive enough to support this.

We can't hack around this by chopping the query in the backend to something like:

( "foo" AND (
    "oob" AND (
        "oba" AND (
            ...
        ) OR
        "obA" AND (

        )
    ) OR
    "ooB" AND (
        "oBa" AND (
            ...
        ) OR
        "oBA" AND (
            ...
        )
    )
) OR "foO AND (
    ...
) OR "fOo" AND (
    ...
) OR "fOO" AND (
    ...
) ...

Because of exponential growth.

OTOH I feel like like this can solved with a C++ method (needs investigation). In this case we need to introduce nocase strings to ursadb.

Needs investigation (if this results in too many false positives, we may as well give up).
@msm-code msm-code added zone:flask backend needs more design Non-trivial design issues invoved. Ask maintainers before working on labels Apr 5, 2020
@msm-code msm-code mentioned this issue Apr 5, 2020
Closed
10 tasks
@msm-code msm-code added this to the v1.1.0 milestone Apr 8, 2020
@msm-code msm-code self-assigned this Apr 15, 2020
@msm-code
Copy link
Contributor Author

Backend work is done, now then only thing that left is transforming "asdf" nocase into { (61 | 41) (53 | 73) (44 | 64) (66 | 46)}

@msm-code msm-code mentioned this issue May 2, 2020
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@msm-code msm-code

Labels
needs more design Non-trivial design issues invoved. Ask maintainers before working on
Projects
None yet
Milestone
v1.2.0
Development

Successfully merging a pull request may close this issue.

Support nocase expressions CERT-Polska/mquery
1 participant
@msm-code