I am trying to write YARA rules to match simple IP Addresses (eg: 127.0.0.1 or 192.168.1.1). I understand that I can do it using Regular Expressions based on this open-source Github example.
However, YARA performance guidelines recommends us to avoid Regular Expressions whenever possible and use Hexadecimal Jumps/Wildcard matching instead, as stated in this Github Readme. I am using it on a large number of examples so I was keeping performance in mind.
I was wondering, does YARA need to get the IP in a hex format, or can I directly match it in the normal IP format (x.x.x.x)?
I was trying something like:
rule url_localhost
{
strings:
$hex_test = { [1-3] 2E [1-3] 2E [1-3] 2E [1-3] ?? ?? }
condition:
any of them
}
My logic was something like 3 numbers to start, then a dot (2E in ASCII), and repeating the same, and having wildcards in the end for a potential 'path' in the IP address (eg: 127.0.0.1/p)
It does not seem to directly work. Is this kind of use-case possible, or is Regex the only way to approach this?
I am not sure why, but it seems you cannot start or end your hex string with a jump ([]).
I got this to work:
rule url_localhost{
strings:
$hex_test = { ?? [0-2] 2E [1-3] 2E [1-3] 2E }
condition:
$hex_test
}
However, I still get a warning that the rule is slowing down the scan. I have not done any testing of this method vs. regex, but I would think they are doing pretty much the same under the hood.