The following program is a C reimplementation of what was reported as hillu/go-yara#25. Removing the second call of yr_compiler_define_string_variable() restores expected behavior.
#include <yara.h>
#include <stdio.h>
void errcheck(int code) {
if (code == 0) {
puts("ok");
} else {
printf("error %d\n", code);
}
}
int scan_callback(int message, void* message_data, void* user_data) {
switch(message) {
case CALLBACK_MSG_RULE_MATCHING:
printf("match %s\n", ((YR_RULE*)message_data)->identifier);
break;
case CALLBACK_MSG_RULE_NOT_MATCHING:
printf("not matching %s\n", ((YR_RULE*)message_data)->identifier);
break;
}
}
int main(int argc, char **argv) {
YR_COMPILER *c;
yr_initialize();
errcheck(yr_compiler_create(&c));
errcheck(yr_compiler_define_string_variable(c, "category", ""));
errcheck(yr_compiler_define_string_variable(c, "category", ""));
errcheck(yr_compiler_add_string(c, "rule category_is_empty { condition: category == \"\" }", "default"));
errcheck(yr_compiler_add_string(c, "rule category_is_not_empty { condition: category != \"\" }", "default"));
YR_RULES *r;
errcheck(yr_compiler_get_rules(c, &r));
errcheck(yr_rules_define_string_variable(r, "category", "http"));
errcheck(yr_rules_scan_mem(r, "", 0, 0, scan_callback, NULL, 0));
}
The following program is a C reimplementation of what was reported as hillu/go-yara#25. Removing the second call of
yr_compiler_define_string_variable()restores expected behavior.