Hello,

I wonder if the wildcards on beginning and end of many strings are really needed or are the tools, where they are used, doing a substring search anyway?

Because in YARA the .* don't make a difference, but they affect performance and memory usage:

$string1 = /.*Backdoor\.ASP\.FUZZSHELL\.A.*/ nocase ascii wide

Also in some strings there's a .* at the beginning and none at the end, which won't make a difference for YARA. If the distinction is needed, then maybe use \b to search for word boundaries. Or use the fullword search modifier.

regards
arnim

@ruppde yes for the yara lists, your PR has been merged thanks :) However, we need to retain the wildcards in this project to ensure matching on raw logs and specific SIEM fields. i'll close this issue, resolved here for hunting with yara: mthcht/ThreatHunting-Keywords-yara-rules#2

Ok, fixed it with mthcht/ThreatHunting-Keywords-yara-rules#3