Yara one rule against multiple files

Question

I'm using Yara to detect multiple strings in multiple files for example:

File A : toto
File B : titi
Both file are in a directory repo

Yara rule (test.yar) :

rule test
{
strings:
$ = "toto"
$ = "titi"
condition:
all of them
}

And i run the commnand line :

yara test.yar -r repo/

But this rule will never match.
How can i do ?

PS : I can't merge the two file into one.

Thanks.

score 0 · Answer 1 · answered Apr 22 '22 at 11:26

The condition field is set to all of them which means that the files will match, only if they have the string toto AND the string titi.

Based on your question, you are looking for the condition any of them, which will match if titi OR toto is in the file.

1 Answers1