Skip to main content

Got this error when writing a YARA-L detection rule in the Chronicle editor

  • June 4, 2023
  • 7 replies
  • 63 views
A
Forum|alt.badge.img+5

Hi all,
I was writing a YARA-L detection rule in the Chronicle editor and I need to match the string "C:\\Program Files" with a regex. So I wrote:
re.regex($selection.src.process.file.full_path, `C:\\Program Files `)
But the editor rise this error:
parsing: invalid regex pattern: C:\\Program Files: error parsing regexp: invalid character class range: `\\Pr` The error disappear if I escape the backslash character.
Someone knows the reason? Since I'm using back quotes shouldn't I be able to not escape the backslash as said in the reference at this link: https://cloud.google.com/chronicle/docs/detection/yara-l-2-0-syntax#string_and_regex_literals

7 replies

B
Forum|alt.badge.img+1
  • Brav0nov
  • New Member
  • June 4, 2023

However, there may be something to do with this being a special character class \\P is used for catching non-unicode characters https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Regular_expressions/Unicode_character_class_escape

A
Forum|alt.badge.img+5
  • Antonino_La2
  • Author
  • New Member
  • June 4, 2023

Mhhh ok but as per documentation everything that is between back quotes should be interpreted literally.. In the link I provided thr documentation says: "Back quotes (`) — Use to interpret all characters literally.
For example: `hello\\tworld` —\\t is not interpreted as a tab"
What if I want to match that path? Already tested that if I add another backslash as escape the regex will search for "C:\\\\Program Files"

B
Forum|alt.badge.img+1
  • Brav0nov
  • New Member
  • June 4, 2023

I think think it still needs to be raw regex for it to work. Regex requires the backslash to be escaped. So `C:\\\\Program...` would be the equivalent to C:\\\\\\\\Program... in YARA-L

D
Forum|alt.badge.img+3
  • Daniel_Love
  • New Member
  • June 4, 2023

iirc, you have to escape the backslash. Here is an example.

D
Forum|alt.badge.img+3
  • Daniel_Love
  • New Member
  • June 4, 2023

https://github.com/chronicle/detection-rules/blob/main/suspicious/access_to_windows_setup_files.yaral

Chris_B
Forum|alt.badge.img+8
  • Chris_BSilver 2
  • Silver 2
  • June 4, 2023

think of regex as meaning every time there are quotes regex is on.
Just wait til your string of interest includes quotation mark chracters

A
Forum|alt.badge.img+5
  • Antonino_La2
  • Author
  • New Member
  • June 4, 2023

Hi, I'm late in the response. Are you guys saying that the example at this link https://cloud.google.com/chronicle/docs/detection/yara-l-2-0-syntax#string_and_regex_literals is not valid? Because it says literally that backquotes are used to interpret all characters literally, including the backslash.

Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.