yara icon indicating copy to clipboard operation
yara copied to clipboard
verified publisher icon VirusTotal

Max String Modifier

Open xorhex opened this issue 4 years ago • 0 comments

I've a case where I only want to find the first instance of $ however, when $ is { 00 } it will have too many hits and slow down scanning. Is there something like a modifier that would limit the number of matches found when parsing the file - thinking something like:

rule test{
  string:
     $null = { 00 } max(1)
  condition:
    .
    .
}

Thus I can still use @test as an anchor AND keep YARA happy

xorhex avatar Nov 25 '21 14:11 xorhex