2

I am trying to include non-ascii characters within a yara rule

Firstly in the yara rule name and also with a string, for condition of the rule

In both case I am getting error: "non-ascii character" when testing the rule. So it seems non-ascii characters are not supported in yara?

 Rule i18n_KatakanaTest_string_specific_ アイルランド: i18n test アイルランドTest
{
    meta:
        description = "This is an i18n example for the アイルランド exe"
        thread_level = 3
        in_the_wild = false
        weight = 100

    strings:
        $stringa = "アイルランド"


    condition:
        $stringa
}

The rule is saved as fe-JAP

To verify the rule: 

C:\Tools\yara-3.4.0-win64>yara64.exe fe_JAP ASCIItest_file.exe

returns:

fe_JA (1):error: non-ascii character
fe_JA (1):error: syntax error, unexpected $end, expecting '{'
Kara
  • 6,115
  • 16
  • 50
  • 57
Thierry Beliere
  • 21
  • 1
  • 4
  • Yes, it would seem so. Scanned the docs, and I couldn't tell otherwise. Put an issue up on https://github.com/plusvic/yara/issues – Laurentiu L. Oct 09 '15 at 09:40

1 Answers1

0

You're right. YARA doesn't support non-ascii characters neither for rule names nor strings. If you want to search for strings in Japanese you could search for them in binary form. Of course in order to do that you must know the raw bytes of your string after being encoded.

Victor M. Alvarez
  • 356
  • 1
  • 8