Home > Software design >  YARA Rule - Regex - String with at least one digit
YARA Rule - Regex - String with at least one digit

Time:09-21

I'm new to YARA rules and I wanted to build something really simple, a regex to match a hostname naming convention in my company.
Something like: /AX[BCD][EFG](?=.*\d)[A-Z0-9]{5}/ where the last five characters HAVE TO have at least one digit.
Is there a way to "translate" this to YARA? Keeping in mind that only basic constructs are supported:

  • Alternation (|)
  • Concatenation
  • Repetition (, ?, , ?, ?, ??, {digit,digit}, {digit*,digit*}?, {digit })
  • Boundaries (\b, \B, ^, $)
  • Grouping ((, ))
  • Character classes (., \w, \W, \s, \S, \d, \D, [...], [^...])
  • Hex escapes (\xHH)
  • Normal escapes (\ any special character)
  • Anything else is a literal or illegal

Thanks!

CodePudding user response:

You can write the pattern with a grouping and alternation matching 5 characters checking for a digit on every position.

AX[BCD][EFG](\d[A-Z\d]{4}|[A-Z\d]\d[A-Z\d]{3}|[A-Z\d]{2}\d[A-Z\d]{2}|[A-Z\d]{3}\d[A-Z\d]|[A-Z\d]{4}\d)

If you don't want a partial match but match 9 characters in total, you can append anchors around the pattern:

^AX[BCD][EFG](\d[A-Z\d]{4}|[A-Z\d]\d[A-Z\d]{3}|[A-Z\d]{2}\d[A-Z\d]{2}|[A-Z\d]{3}\d[A-Z\d]|[A-Z\d]{4}\d)$

Regex demo

CodePudding user response:

If length is known to be correct (that is the regex doesn't need to assert length):

/AX[BCD][EFG][A-Z\d]*\d[A-Z\d]* 
  • Related