Superrule generation logic #22
Comments
|
No. Everything works as expected. |
|
Thanks,
Yep, I see that. But I can't stop wondering the semantics. What I wanted
to point out is that the same parameter is used for single and super rules
in the same run. Therefore, if I apply yaraGen over 10 samples and get,
let's say, 10 simple rules with 12 strings each, I don't expect the super
rule to have 12 strings minimum. I'd be more than happy to have a super
rule with, let's say, 9 common strings for all samples, no? At least as an
alternative to nothing.
El mié., 17 jul. 2019 a las 12:54, Florian Roth (<notifications@github.com>)
escribió:
… No. Everything works as expected.
As super rule is only generated if a minimum number of strings can be
found in all samples.
That minimum number of strings is the "-rc" parameter.
So, if yarGen is ordered to extract 40 strings from a file and include
them in a rule with "-rc 40", it requires 40 strings that can be found in
all samples to create a rule for these samples.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#22?email_source=notifications&email_token=AMULO6AS72H6VKOWWFRV2QLP7327LA5CNFSM4IEOVS7KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD2D2DGQ#issuecomment-512205210>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AMULO6BMZHWYZOLFMVR2CLTP7327LANCNFSM4IEOVS7A>
.
|
|
I've changed that behaviour in the latest commit. We have to test that behaviour now. I am not sure that this doesn't have any side effects. |
# for free
to join this conversation on GitHub.
Already have an account?
# to comment
Hi,
Is it possible that the super-rule generation condition is inverted?
Inspecting the code, there's a condition that practically (unless there're at least 20 rules by default) stops the code from generating a super-rule (...if len(combinations[combi]["strings"]) >= int(args.rc):..).
Inverting the condition, allows the script to generate super-rules. It seems to me that args.rc, as described by the documentation shouldn't be playing that role in that condition.
I do agree that simply inverting the condition, might be a simplistic approach and that, of course, I just landed in the code and did not try it throughly, and will be more likely missing sth.
But reality is that the script does not generate super-rules even in cases where it should (I don't expect a super-rule covering dozens of (similar) samples to have more than 20 rules).
And as I stated before, it seems args.rc is being used with two different meanings (maximum number of strings for simple rules, (sort of a) minimum for super-rules.
Pls, forget me if I made a basic mistake (I'm not proficient in Python).
Thanks in advance for your help.
The text was updated successfully, but these errors were encountered: