This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Got this error when writing a YARA-L detection rule in the Chronicle editor

Posted on 06-04-2023 04:56 AM
Antonino_La2
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hi all,
I was writing a YARA-L detection rule in the Chronicle editor and I need to match the string "C:\Program Files" with a regex. So I wrote:
re.regex($selection.src.process.file.full_path, `C:\Program Files `)
But the editor rise this error:
parsing: invalid regex pattern: C:\Program Files: error parsing regexp: invalid character class range: `\Pr` The error disappear if I escape the backslash character.
Someone knows the reason? Since I'm using back quotes shouldn't I be able to not escape the backslash as said in the reference at this link: https://cloud.google.com/chronicle/docs/detection/yara-l-2-0-syntax#string_and_regex_literals

0 7 366
Topic Labels
0 Likes
7 REPLIES 7

Posted on --/--/---- --:-- AM
Brav0nov
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

However, there may be something to do with this being a special character class \P is used for catching non-unicode characters https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Regular_expressions/Unicode_charac...

0 Likes

Posted on --/--/---- --:-- AM
Antonino_La2
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Mhhh ok but as per documentation everything that is between back quotes should be interpreted literally.. In the link I provided thr documentation says: "Back quotes (`) โ€” Use to interpret all characters literally.
For example: `hello\tworld` โ€”\t is not interpreted as a tab"
What if I want to match that path? Already tested that if I add another backslash as escape the regex will search for "C:\\Program Files"

0 Likes

Posted on --/--/---- --:-- AM
Brav0nov
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

I think think it still needs to be raw regex for it to work. Regex requires the backslash to be escaped. So `C:\\Program...` would be the equivalent to C:\\\\Program... in YARA-L

0 Likes

Posted on --/--/---- --:-- AM
Daniel_Love
New Member
Reply posted on --/--/---- --:-- AM

iirc, you have to escape the backslash. Here is an example.

0 Likes

Posted on --/--/---- --:-- AM
Daniel_Love
New Member
Reply posted on --/--/---- --:-- AM

https://github.com/chronicle/detection-rules/blob/main/suspicious/access_to_windows_setup_files.yara...

0 Likes

Posted on --/--/---- --:-- AM
Chris_B
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

think of regex as meaning every time there are quotes regex is on.
Just wait til your string of interest includes quotation mark chracters

0 Likes

Posted on --/--/---- --:-- AM
Antonino_La2
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hi, I'm late in the response. Are you guys saying that the example at this link https://cloud.google.com/chronicle/docs/detection/yara-l-2-0-syntax#string_and_regex_literals is not valid? Because it says literally that backquotes are used to interpret all characters literally, including the backslash.

0 Likes
Top Solution Authors
View all