I'm new to YARA rules and I wanted to build something really simple, a regex to match a hostname naming convention in my company.
Something like:
/AX[BCD][EFG](?=.*\d)[A-Z0-9]{5}/
where the last five characters HAVE TO have at least one digit.
Is there a way to "translate" this to YARA? Keeping in mind that only basic constructs are supported:
- Alternation (|)
- Concatenation
- Repetition (, ?, , ?, ?, ??, {digit,digit}, {digit*,digit*}?, {digit })
- Boundaries (\b, \B, ^, $)
- Grouping ((, ))
- Character classes (., \w, \W, \s, \S, \d, \D, [...], [^...])
- Hex escapes (\xHH)
- Normal escapes (\ any special character)
- Anything else is a literal or illegal
Thanks!
CodePudding user response:
You can write the pattern with a grouping and alternation matching 5 characters checking for a digit on every position.
AX[BCD][EFG](\d[A-Z\d]{4}|[A-Z\d]\d[A-Z\d]{3}|[A-Z\d]{2}\d[A-Z\d]{2}|[A-Z\d]{3}\d[A-Z\d]|[A-Z\d]{4}\d)
If you don't want a partial match but match 9 characters in total, you can append anchors around the pattern:
^AX[BCD][EFG](\d[A-Z\d]{4}|[A-Z\d]\d[A-Z\d]{3}|[A-Z\d]{2}\d[A-Z\d]{2}|[A-Z\d]{3}\d[A-Z\d]|[A-Z\d]{4}\d)$
CodePudding user response:
If length is known to be correct (that is the regex doesn't need to assert length):
/AX[BCD][EFG][A-Z\d]*\d[A-Z\d]*