re.regex
Supported in:
You can define regular expression matching in YARA-L 2.0 using either of the following syntax:
Using YARA-L syntax — Related to events. The following is a generic representation of this syntax:
$e.field = /regex/Using YARA-L syntax — As a function taking in the following parameters:
- Field the regular expression is applied to.
- Regular expression specified as a string.
The following is a generic representation of this syntax:
re.regex($e.field, `regex`)
Description
This function returns true if the string contains a substring that matches the regular expression provided. It is unnecessary to add .* to the beginning or at the end of the regular expression.
Notes
- To match the exact string or only a prefix or suffix, include the
^(starting) and$(ending) anchor characters in the regular expression. For example,/^full$/matches"full"exactly, while/full/could match"fullest","lawfull", and"joyfully". - If the UDM field includes newline characters, the
regexponly matches the first line of the UDM field. To enforce full UDM field matching, add a(?s)to the regular expression. For example, replace/.*allUDM.*/with/(?s).*allUDM.*/. - You can use the
nocasemodifier after strings to indicate that the search should ignore capitalization.
Param data types
STRING, STRING
Param expression types
ANY, ANY
Return type
BOOL
Code samples
Example 1
// Equivalent to $e.principal.hostname = /google/
re.regex($e.principal.hostname, "google")