Skip to main content
Question

Detecting Tautologies (e.g 1=1) in Chronicle YARA-L re.regex(Regex)/re.capture Limitations

  • December 24, 2025
  • 1 reply
  • 36 views
havox
Forum|alt.badge.img+4

Hi community,

I am working on YARA-L detection rules in Google Chronicle to identify suspicious self-equality assignments (tautologies) in SQL logs. These patterns, like "1=1" or "test=test", are often used in SQL injection attempts to bypass filters or force true evaluations.
Goal: Detect patterns where the left side of "=" exactly matches the right side, such as:
test=test
1=1
time=time
status = status
flag=flag
admin=admin
bypass=bypass
enabled=enabled
id=id
version=version
But not detect mismatches like:
1=2
a=B
(and similar non-tautologies)
Challenges in Chronicle:
I Tried regex ->

([A-Za-z0-9'-]+)\s*=\s*\1

were i used /1 #BackReference, but unfortunately backreference is not supported in YARAL,
so using re.regex to directly check for equal values on both sides of "=".
Then i used were grouping issue => The Chronicle re.capture() function only returns the first match in the text, and it supports only 0 or 1 capture group. If the regex contains 0 capture groups, Chronicle returns the first full substring that matches the expression. If the regex contains 1 capture group, it returns only the first captured value from that match. Chronicle never scans beyond the first match and cannot return multiple matches, If the regex contains two or more capture groups, Chronicle throws a compiler error. Because Chronicle stops at the first match, SQL statements containing

' OR (0=1 AND 'false'='true') -- false contradictions first
  OR EXISTS(SELECT * FROM users WHERE id=1)
  OR (1=1 OR 'a'='a') -- true tautologies later
  AND (SELECT COUNT(*) FROM information_schema.tables > 0)
--

multiple comparisons such as 0=1 followed later by 1=1 will only match the earliest = expression in the string, preventing Chronicle from detecting the later valid tautology even if it exists.

Finally What i am looking for…..


Backreferences: It's impossible to match "previous group equals current text" without backreferences in pure regex, which Chronicle doesn't support for this.
I have tried various regex patterns, but due to these constraints, I can't reliably detect true tautologies across the log.
Question: Is there any workaround or creative way to detect these tautologies using regex or re.capture in Chronicle YARA-L? Or are there alternative approaches within Chronicle for handling this? Any examples or rule snippets would be greatly appreciated!

1 reply

kentphelps
Staff
Forum|alt.badge.img+11
  • kentphelps
  • Staff
  • January 13, 2026

You might try creating a robust regex list of the top 20 tautologies (1=1, 0=0, true=true, 'a'='a', admin=admin, etc.) and then use re.regex (not re.capture) so it scans the whole string.

You may also want to take a look at the Google RE2 GitHub repository for some more help with this flavor of Regex.

Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.