yara-rule: 2 of(IDENTIFIER)

[kongo86]

It will be great to be able to do the following with yara modules:

2 of (pe.exports("myex1") , pe.exports("myex2") . pe.exports("myex3"), pe.exports("myex4")) Currently Yara only does this with string identifiers.

Thanks advance!

[jcsahnwaldt]

Since 4.1.0, this can be done with the help of math.to_number:

math.to_number(pe.exports("myex1")) +
math.to_number(pe.exports("myex2")) +
math.to_number(pe.exports("myex3")) +
math.to_number(pe.exports("myex4")) >= 2

Be aware though that boolean and numeric operators behave differently with regard to undefined values. Example:

The rule filesize == 0 or pe.is_pe works as expected – it matches empty files and PE files: if the file is empty, filesize == 0 is true, pe.is_pe is undefined → true or undefined is true. 😊

The rule math.to_number(filesize == 0) + math.to_number(pe.is_pe) > 0 looks like it should match the same files (at least one of the conditions must be true, which is equivalent to logical OR), but it doesn't: if the file is empty, filesize == 0 is true, but pe.is_pe is undefined → math.to_number(filesize == 0) is 1, math.to_number(pe.is_pe) is undefined → 1 + undefined is undefined → undefined > 0 is undefined → the rule doesn't match. 😕