Wildcards on beginning and end really needed?
ruppde opened this issue · comments
Hello,
I wonder if the wildcards on beginning and end of many strings are really needed or are the tools, where they are used, doing a substring search anyway?
Because in YARA the .* don't make a difference, but they affect performance and memory usage:
$string1 = /.*Backdoor\.ASP\.FUZZSHELL\.A.*/ nocase ascii wide
Also in some strings there's a .* at the beginning and none at the end, which won't make a difference for YARA. If the distinction is needed, then maybe use \b to search for word boundaries. Or use the fullword
search modifier.
regards
arnim
@ruppde yes for the yara lists, your PR has been merged thanks :) However, we need to retain the wildcards in this project to ensure matching on raw logs and specific SIEM fields. i'll close this issue, resolved here for hunting with yara: mthcht/ThreatHunting-Keywords-yara-rules#2
Ok, fixed it with mthcht/ThreatHunting-Keywords-yara-rules#3